definite expression aliasing analysis for java bytecode

Julia

Definite Expression Aliasing Analysisfor Java Bytecode

Ðurica Nikolic1,2 and Fausto Spoto1

1. - Dipartimento di Informatica, University of Verona (Italy)2. - Microsoft Research - University of Trento Centre for Computational and Systems Biology

Bangalore, 25th September 2012

Ð. Nikolic, F. Spoto (ICTAC 2012) Definite Expression Aliasing Analysis Bangalore, 25th September 2012 1 / 18

Introduction Motivating Example

Motivating Example: HoneycombGallery

if (mCamera != null) {then:

mCamera.stopPreview();

mPreview.setCamera(null);

mCamera.release();

mCamera = null;

}else:

..........







mCamera.release();

mCamera = null;

}else:

..........

aload 0

getfield mCamera:Landroid/hardware/Camera;

ifnull else

then:

...







mCamera.release();

mCamera = null;

}else:

..........

aload 0


ifnull else

then:

...

� if the top of the stack is null, go to else







mCamera.release();

mCamera = null;

}else:

..........

aload 0


ifnull else

then:

...


� is definitely non-null� at then: the top of the stack







mCamera.release();

mCamera = null;

}else:

..........

aload 0


ifnull else

then:

...


� is definitely non-null� ifnull removes the top of the stack

� at then: the top of the stack







mCamera.release();

mCamera = null;

}else:

..........

aload 0


ifnull else

then:

...


� is definitely non-null� ifnull removes the top of the stack� but it is aliased to this.mCamera








mCamera.release();

mCamera = null;

}else:

..........

aload 0


ifnull else

then:

...

mCamera.stopPreview() does not launch a NullPointerException


� is definitely non-null� ifnull removes the top of the stack� but it is aliased to this.mCamera



Introduction State of the Art

Haven’t we solved this problem yet?There is a lot of pointer analyses: [Hind01] surveys more than 75 papers

possible (may) aliasing

pairs of variables that might point tothe same memory location

over-approximation

WALA, soot, JAAT

definite (must) aliasing

pairs of variables that must point tothe same memory location

under-approximation

no tool for Java or Java bytecode

We provide a novel approach dealing with Java bytecode programsand providing expressions definitely aliased to variables


Introduction Application

Where can it be useful?

expressions definitely aliased to v are non-null after if (v!=null)expressions E.f are non-null after an assignment w.f=exp if

exp is non-null andE is definitely aliased to w andevaluations of E must not update f

inference of symbolic upper and lower bounds after comparison x < y:expressions definitely aliased to y are upper bounds for xexpressions definitely aliased to x are lower bounds for y


Syntax and Semantics of Java Bytecode

Target language: Java bytecode

public class Event {public int hr, min;...public int delayMinBy(int offset) {return min + offset;

}...}

load 0 Eventgetfield Event.min : int

load 1 intadd int

return int

catchthrow java.lang.Throwable



State

local variables: L = {l0, . . . , li−1} stack elements: S = {s0, . . . , sj−1}

variables: V = L ∪ S = {v1, . . . , vi+j}

σ = 〈〈[@`1, 20,@`3,@`4] ‖ @`2〉, µ〉



State

local variables: L = {l0, . . . , li−1} stack elements: S = {s0, . . . , sj−1}

variables: V = L ∪ S = {v1, . . . , vi+j}

memoryµ ρ environment`1

20

`3

`4

null

15

ListEvents

Event

ListEvents

hrEvent

`1

`2

10

`3

`4o4

o3

o2

o1

head

`1

`2

`3

`4

18hr20

head

min

tail

min

tail `2

l0

l1

l2

l3s0

v1

v2

v3

v4

v5

σ = 〈〈[@`1, 20,@`3,@`4] ‖ @`2〉, µ〉


Alias Expressions Definition of expressions

Expressions

F - set of all field names

M - set of all method names

We define E, the set of expressions:

E 3 E ::= n constants

| v variables

| E ⊕ E arithmetic expressions

| E.f field accesses

| E.m(E, . . .) method invocations,

where n ∈ Z, v ∈ V, ⊕ ∈ {+,−,×,÷,%}, f ∈ F and m ∈ M.


Alias Expressions Evaluation of expressions

Evaluation of expressions


20

`3

`4

null

15

ListEvents

Event

ListEvents

hrEvent

`1

`2

10

`3

`4o4

o3

o2

o1

head

`1

`2

`3

`4

20hr18

head

min

tail

min

tail `2s0

v1

v2

v3

v4

v5

l0

l1

l2

l3

evaluation of l2.min in 〈ρ, µ〉: ~l2.min�〈ρ, µ〉

~l2�〈ρ, µ〉 = `3

µ(`3) = o3

~l2.min�〈ρ, µ〉 = o3.min = 20





20

`3

`4

null

15

ListEvents

Event

ListEvents

hrEvent

`1

`2

10

`3

`4o4

o3

o2

o1

head

`1

`2

`3

`4

hr

head

min

tail

min

tail `2s0

v1

v2

v3

v4

v5

2018

l0

l1

l2

l3

evaluation of l2.min in 〈ρ, µ〉: ~l2.min�〈ρ, µ〉~l2�〈ρ, µ〉 = `3

µ(`3) = o3

~l2.min�〈ρ, µ〉 = o3.min = 20





20

`3

`4

null

15

ListEvents

Event

ListEvents

hrEvent

`1

`2

10

`3

`4o4

o2

o1

head

hr

head

min

tail

min

tail `2s0

v1

v2

v3

v4

v5

`1

`2

`3

`4

o32018

l0

l1

l2

l3


µ(`3) = o3

~l2.min�〈ρ, µ〉 = o3.min = 20





20

`3

`4

null

15

ListEvents

Event

ListEvents

hrEvent

`1

`2

10

`3

`4o4

o2

o1

head

hr18

head

min

tail

min

tail `2s0

v1

v2

v3

v4

v5

`1

`2

`3

`4

o320

l0

l1

l2

l3


µ(`3) = o3

~l2.min�〈ρ, µ〉 = o3.min = 20


Alias Expressions Definition of alias expressions

Alias Expressions

We say that an expression E ∈ E is an alias expression of a variable v ∈ Vin a state σ if and only if ~E�σ = ~v�σ.


20

`3

`4

null

15

ListEvents

Event

ListEvents

hrEvent

`1

`2

10

`3

`4o4

o2

o1

head

hr18

head

min

tail

min

tail `2s0

v1

v2

v3

v4

v5

`1

`2

`3

`4

o320

l0

l1

l2

l3

~l2.min�〈ρ, µ〉 = o3.min = 20

~l1�〈ρ, µ〉 = 20

l2.min is an alias expression of l1 in 〈ρ, µ〉


Alias Expressions Definition of alias expressions

Alias Expressions

We say that an expression E ∈ E is an alias expression of a variable v ∈ Vin a state σ if and only if ~E�σ = ~v�σ.


20

`3

`4

null

15

ListEvents

Event

ListEvents

hrEvent

`1

`2

10

`3

`4o4

o2

o1

head

hr18

head

min

tail

min

tail `2s0

v1

v2

v3

v4

v5

`1

`2

`3

`4

o320

l0

l1

l2

l3

~l2.min�〈ρ, µ〉 = o3.min = 20~l1�〈ρ, µ〉 = 20

l2.min is an alias expression of l1 in 〈ρ, µ〉


Definite Expression Aliasing Analysis

Abstract Interpretation Framework [CousotCousot77]

C

A

α γ

C

A

f

f ]

α γ

best correct approximation: f bca = α ◦ f ◦ γin practice: f ] is less precise than f bca and

introduces loss of precision

concretedomain

abstractdomain

abstractionmap

concretizationmap


Definite Expression Aliasing Analysis Abstract states

Concrete and Abstract Domains

Σ - set of all states

V = v1, . . . , vi+j - set of all variables

Concrete Domain: C = ℘(Σ)

Abstract Domain: A = (℘(E))i+j

an abstract element 〈A1, . . . ,Ai+j〉 contains, for each variable vr , a set ofexpressions Ar ⊆ E definitely aliased to vr

concrete states σ corresponding to 〈A1, . . . ,Ai+j〉 must satisfy the aliasinginformation represented by the latter, i.e., for each vr , the value of all theexpressions from Ar in σ must coincide with the value of vr

Concretization Map:

γ(〈A1, . . . ,Ai+j〉) = {σ ∈ Σ | ∀vr .∀E ∈ Ar .~E�σ = ~vr�σ}


Definite Expression Aliasing Analysis Abstract semantics

Constraint-based static analysis - example

Abstract Constraint Graph (ACG= 〈V ,E〉) gives rise to anapproximation of the aliasing information at each point of a program P.

the cfg of P gives rise to the nodes and arcs of the ACG,i.e., there is a node for every bytecode and there is an arc between2 nodes if their corresponding bytecodes are adjacent in the CFG.

each node is decorated by an abstract element, i.e., by a tuple of setsof expressions representing a definite aliasing information at that point.

arcs propagate approximations of the aliasing information of theirsources, i.e., they represent abstract semantics of bytecodes.





load 1 intadd int

return int






load 1 intadd int

return int


node anode c

catch

node 9exception@delayMinBy

node bstore 3 int

node 6exit@delayMinBy

call Event.delayMinBy(int) : int

node 1load 0 Event

node 2getfield Event.min: int

node 3load 1 int

node 4add int

node 5return int

node 7catch

node 8throw java.lang.Throwable

]14

]16]18 ]18

]17

]3

]7 ]3

]10

]5]15

]12

]13



Propagation rules - example

load 1 intnode 5

getfield Event.min:intnode 2

#5

{v3}, {2v1}, {v1}

!

v1

!

v2

!

v3

initialapproximation

typeenvironment

Event int Event

v3 = s0

L Sv1 = l0 v2 = l1

sequentialarc

each variable different from the top

of the stack keeps all its alias

expressions in which the top of the

stack does not appear

for each alias expression E of the topof the stack before getfield min,E.min becomes an alias expressionof the top of the stack aftergetfield min if no evaluation ofE might modify min





#5


typeenvironment

Event int

v1 = l0 v2 = l1 v3 = s0

L S

typeenvironment

Event int

v1 = l0 v2 = l1 v3 = s0

L S

Event

int

load 1 intnode 5

sequentialarc

{v3}, {2v1}, {v1}

!

v1

!

v2

!

v3










#5


typeenvironment

Event int

L S

typeenvironment

Event int

L S

load 1 intnode 5

Event

v1 = l0 v2 = l1

v1 = l0 v2 = l1

v3 = s0

v3 = s0

int

sequentialarc

{v3}, {2v1}, {v1}

!

v1

!

v2

!

v3each variable different from the top









#5


typeenvironment

Event int

L S

typeenvironment

Event int

L S

load 1 intnode 5

Event

finalapproximation

∅, {2v1}, ?

!

v1

!

v2

!

v3

v1 = l0 v2 = l1

v1 = l0 v2 = l1

v3 = s0

v3 = s0

int

sequentialarc

{v3}, {2v1}, {v1}

!

v1

!

v2

!










#5


typeenvironment

Event int

L S

typeenvironment

Event int

L S

load 1 intnode 5

Event

finalapproximation

v1 = l0 v2 = l1

v1 = l0 v2 = l1

v3 = s0

v3 = s0

int

sequentialarc

{v3}, {2v1}, {v1}

!

v1

!

v2

!

v3

∅, {2v1}, ?

!

v1

!

v2

!

v3










#5


typeenvironment

Event int

L S

typeenvironment

Event int

L S

load 1 intnode 5

Event

finalapproximation

v1 = l0 v2 = l1

v1 = l0 v2 = l1

v3 = s0

v3 = s0

int

sequentialarc

{v3}, {2v1}, {v1}

!

v1

!

v2

!

v3

∅,{2v1},{v1.min}

!

v1

!

v2

!

v3










#5


typeenvironment

Event int

v1 = l0 v2 = l1

L S

typeenvironment

Event int

v1 = l0 v2 = l1

L S

load 1 intnode 5

Event

v3 = s0

v3 = s0

finalapproximation

int

sequentialarc

∅,{2v1},{v1.min}

!

v1

!

v2

!

v3

{v3}, {2v1}, {v1}

!

v1

!

v2

!









catchnode 5


#15


typeenvironment

Event int Event

v3 = s0

L Sv1 = l0 v2 = l1

exceptionalarc

{v3}, {2v1}, {v1}

!

v1

!

v2

!

v3

if vr < S = {s0 = v3},A′r = {E ∈ Ar | v3 does not appear in E}

if vr = v3,A′r = ∅




catchnode 5


#15


typeenvironment

Event int

v3 = s0

L Sv1 = l0 v2 = l1

typeenvironment

Event int

v1 = l0 v2 = l1

L Sv3 = s0

NPE

Event

exceptionalarc

{v3}, {2v1}, {v1}

!

v1

!

v2

!

v3


if vr = v3,A′r = ∅




catchnode 5


#15

{v3},∅, {v1}

! ! !

v3


typeenvironment

Event int Event

v3 = s0

L Sv1 = l0 v2 = l1

typeenvironment

Event int

v1 = l0 v2 = l1

L Sv3 = s0

NPE

v1 v2

exceptionalarc

exceptionalarc


if vr = v3,A′r = ∅




catchnode 5


#15

〈{v3},∅, {v1}〉

! ! !

v3


typeenvironment

Event int Event

v3 = s0

L Sv1 = l0 v2 = l1

typeenvironment

Event int

v1 = l0 v2 = l1

L Sv3 = s0

NPE

v1 v2

finalapproximation

exceptionalarc

{v3}, {2v1}, {v1}

!

v1

!

v2

!

v3

∅, {2v1}, ?

!

v1

!

v2

!

v3


if vr = v3,A′r = ∅




catchnode 5


#15


typeenvironment

Event int Event

v3 = s0

L Sv1 = l0 v2 = l1

typeenvironment

Event int

v1 = l0 v2 = l1

L Sv3 = s0

NPE

finalapproximation

exceptionalarc

∅, {2v1}, ?

!

v1

!

v2

!

v3

{v3}, {2v1}, {v1}

!

v1

!

v2

!

v3


if vr = v3,A′r = ∅




catchnode 5


#15


typeenvironment

Event int Event

v3 = s0

L Sv1 = l0 v2 = l1

typeenvironment

Event int

v1 = l0 v2 = l1

L Sv3 = s0

NPE

finalapproximation

exceptionalarc

{v3}, {2v1}, {v1}

!

v1

!

v2

!

v3

∅, {2v1}, ∅

!

v1

!

v2

!

v3


if vr = v3,A′r = ∅




catchnode 5


#15


typeenvironment

Event int Event

v3 = s0

L Sv1 = l0 v2 = l1

typeenvironment

Event int

v1 = l0 v2 = l1

L Sv3 = s0

NPE

finalapproximation

exceptionalarc

∅, {2v1}, ∅

!

v1

!

v2

!

v3

{v3}, {2v1}, {v1}

!

v1

!

v2

!

v3


if vr = v3,A′r = ∅


Experimental evaluation Julia static analyzer - www.juliasoft.com

Julia - a static analyzer for Java and Android

Definite Expression Aliasing Analysishas been implemented inside Julia as a supporting analysis for

Nullness and Termination tools


Experimental evaluation Nullness Analysis

Effects of our Definite Expression Aliasing Analysis on the Nullness Analysis of Julia

precision improved by 45.98% runtime increases by 9.88%

0

100

200

300

400

500

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33

RUNTIME WITHOUT ALIASING ANALYSIS RUNTIME WITH ALIASING ANALYSIS

0

50

100

150

200

250

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33

NULLNESS WITHOUT ALIASING ANALYSIS NULLNESS WITH ALIASING ANALYSIS


Experimental evaluation Termination Analysis

Effects of our Definite Expression Aliasing Analysis on the Termination Analysis of Julia

precision improved by 11.44% runtime increases by 12.57%

0

50

100

150

200

250

300

350

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 RUNTIME WITHOUT ALIASING ANALYSIS RUNTIME WITH ALIASING ANALYSIS

0

20

40

60

80

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 TERMINATION WITHOUT ALIASING ANALYSIS TERMINATION WITH ALIASING ANALYSIS


Conclusions

Goal: define, formally prove correct and implementa Definite Expression Aliasing Analysis for Java bytecode

1 definition of a concrete operational semantics of aJava bytecode-like target language;

2 formal definition of a notion of alias expressions;3 a constraint-based inter-procedural static analysisbased on abstract interpretation;

4 formal proof of existence and uniqueness of solutionsof our constraints

5 formal proof of correctness of the analysis;6 implementation of our inter-procedural analysisfor full Java bytecode;

7 experimental evaluation of our approachon real life benchmarks.


Conclusions

Thank You!!!


definite expression aliasing analysis for java bytecode

Documents