J. S. Foster, M. Fahndrich, and A. Aiken. Polymorphic versus monomorphic flow-insensitive points-to analysis for C. In Proc. Static Analysis Symposium, volume 1824 of LNCS, pages 175--198. Springer-Verlag, 2000.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....Java and C . Both flow sensitive and context sensitive techniques were used in pointer analysis [21] In general, the analysis community decided that flow sensitivity was not scalable to large programs. Context sensitivity for C pointer analysis also was explored independent of flow sensitivity [17, 22, 35], but the verdict on its effectiveness is less clear. Keeping calling contexts distinguished is of varying importance in a C program, depending on programming style, whereas in object oriented codes it seems crucial for obtaining high precision for problems needing dependence information, for ....

J. Foster, M. F ahndrich, and A. Aiken. Polymorphic versus monomorphic flow-insensitive points-to analysis for c. In in Proceedings of International Symposium on Static Analysis, April 2000.

....to e.g. the analysis can determine which are the locations that p may point to at line 1. In addition, pointer analysis determines which function addresses may be stored in a given function pointer. Because of the importance of such information, a variety of pointer analyses have been developed [11, 12, 9, 5, 1, 22, 20, 25, 18, 13, 7, 4, 6, 3]. These analyses provide different tradeoffs between cost and precision. For example, flow and context insensitive pointer analyses [1, 20, 25, 18, 4] ignore the flow of control between program points and do not distinguish between different calling contexts of procedures. As a result, such ....

....a conceptual fully precise pointer analysis . This analysis is a fully flow sensitive, contextsensitive, field sensitive pointer analysis that represents a point at the very high end of the design space for pointer analysis. A large number of pointer analyses (or their minor variations) [11, 9, 5, 1, 22, 20, 25, 18, 13, 7, 4, 6, 3] can be considered approximate versions of P that is, the solution computed by is a subset of the solutions computed by these analyses. was specifically designed to achieve this high precision. For example, the analysis maintains full information about calling context; for existing ....

[Article contains additional citation context not shown here]

J. Foster, M. Fahndrich, and A. Aiken. Polymorphic versus monomorphic flow-insensitive points-to analysis for C. In Static Analysis Symposium, LNCS 1824, pages 175--198, 2000.

....from above, pointer analysis can determine what are the locations that p may point to. In addition, pointer analysis determines which function addresses may be stored in a given function pointer. Because of the importance of such points to information, a variety of analyses have been developed [10, 9, 5, 1, 18, 17, 20, 15, 11, 7, 4, 6, 3, 14, 8]. These analyses provide different tradeoffs between cost and precision. For example, flow and context insensitive pointer analyses [1, 17, 20, 15, 4] ignore the flow of control between program points and do not distinguish between different calling contexts of procedures. As a result, such ....

....FA analysis may provide sufficient precision for the purposes of call graph construction. In this context, the use of more expensive pointer analyses may not be necessary. 6 Related Work There is a large body of work on various pointer analyses for C with different degrees of cost and precision [10, 9, 5, 1, 18, 17, 20, 15, 11, 7, 4, 6, 3, 14, 8]. Traditionally, the precision of these analyses has been evaluated with respect to the disambiguation of indirect memory reads and writes (e.g. in p=1) Our work evaluates the precision of pointer analysis with respect to indirect procedure calls and call graph construction. Existing work ....

J. Foster, M. Fahndrich, and A. Aiken. Polymorphic versus monomorphic flow-insensitive points-to analysis for C. In International Static Analysis Symposium, LNCS 1824, pages 175--198, 2000.

....Side e#ect analysis for languages like C is di#cult because pointers allow indirect memory accesses and indirect procedure calls. Typically, mod analysis uses the output of a points to analysis to resolve pointer dereferences. Various whole program points to analyses have been developed [35, 33, 21, 4, 68, 60, 69, 56, 36, 25, 17, 23, 12, 32, 54]. In this chapter we focus on the category of flow and context insensitive analyses [4, 60, 69, 56, 17, 32] Such analyses ignore the flow of control between program points and do not distinguish between di#erent calling contexts of procedures. As a result, analyses from this category are e#cient ....

....to flowinsensitive analyses and are not included in the representation. Because of the weak type system of C (due to typecasting and union types) we assume that type information is not used in the points to and mod analyses , and therefore the program representation is untyped. Similarly to [60, 56, 55, 22, 25, 17, 23, 34, 32], structures and arrays are represented as monolithic objects without distinguishing their individual elements. We assume that calls to malloc and other heap allocating functions are replaced by statements of the form x = heap i , where heap i is a variable unique to the allocation site. Figure ....

J. Foster, M. Fahndrich, and A. Aiken. Polymorphic versus monomorphic flowinsensitive points-to analysis for C. In Static Analysis Symposium, LNCS 1824, pages 175--198, 2000.

....[1] or simply pointer analysis. Recent work on pointer analysis has focused on efficiency [3, 4, 5] tradeoffs between efficiency and accuracy (e.g. the choice of a subset based [6] or unification based [7] analysis [8, 9] or on the cost and benefits of context sensitivity and polymorphism [10, 11]. Techniques for incremental analyses have been proposed, so that small modifications of the source code require only small recomputation [9, 15] Although these methods can reduce the cost of typical end toend applications of pointer analyses, in the end they perform an exhaustive analysis i.e. ....

....for a context sensitive analysis. By restricting attention to contexts that are relevant to a particular query, a demand driven analysis could potentially support much more aggressive context duplication (and flow duplication) policies e.g. beyond the polymorphic points to analysis considered in [11]. Moreover, we expect that aggressive contextduplication will improve the query independence of the pointsto graph, and that degenerate behavior, where one query requires computation of the entire points to graph, will be much less likely. As a first step towards demand driven points to ....

J. Foster, M. Fahndrich and A. Aiken, "Polymorphic versus Monomorphic Flow-insensitive Points-to Analysis for C", SAS 2000.

....In this paper we consider a constraint language with simple inequality constraints over a lattice. Such constraints show up in several type based program analyses such as flow analyses, e.g. Mos97] binding time analyses, e.g. DHM95] usage analyses, e.g. TWM95] points to analyses, e.g. [FFA00] and uniqueness type systems [BS96] We extend this simple constraint language with constraint abstractions which allow the constraints to compactly express substitution instantiation. The main result of this paper is a constraint solving algorithm which computes least solutions to the extended ....

.... be used to yield a cubic algorithm for Mossin s polymorphic flow analysis with flow subtyping and flow polymorphic recursion [Mos97] We believe that our approach can be applied to a number of other type based program analyses such as binding time analyses, e.g. DHM95] points to analyses, e.g. [FFA00] and uniqueness type systems [BS96] An interesting possibility for future work is to explore alternative constraint solving algorithms. The current algorithm has a rather compositional character in that, it rewrites the body of a constraint abstraction without considering how it is called. In ....

J. Foster, M. Fandrich, and A. Aiken. Polymorphic versus Monomorphic Flow-insensitive Points-to Analysis for C. In Proceedings of

....can be used to reduce the effect of join points. However the cost of these additional mechanisms can be large, and without other breakthroughs, they are unlikely to scale to millions of lines of code. Also, recent results suggest that this approach may be of little benefit for Andersen s analysis [13]. In principle, ideas from sub transitive control flow analysis [18] could also be applied to avoid propagation of the information from join points. The basic idea of sub transitive control flow analysis is that the usual dynamic transitive closure formulation of control flow analysis is ....

J. Foster, M. Fahndrich and A. Aiken, "Polymorphic versus Monomorphic Flow-insensitive Points-to Analysis for C", SAS 2000.

....all functions that are pointed to by fp. Precise information about memory accesses and procedure calls is fundamental for a large number of static analyses used in optimizing compilers and software engineering tools. To obtain such information, a variety of pointer analyses have been developed [8, 7, 4, 1, 15, 14, 17, 12, 9, 6, 3, 5, 2]. These analyses provide di#erent tradeo#s between cost and precision. For example, flowand context insensitive pointer analyses [1, 14, 17, 12, 3] # This research was supported by NSF grant CCR 9900988 and by Siemens Corporate Research. ignore the flow of control between program points and do ....

J. Foster, M. Fahndrich, and A. Aiken. Polymorphic versus monomorphic flow-insensitive pointsto analysis for C. In Static Analysis Symposium, LNCS 1824, pages 175--198, 2000.

....appear in a program. As in most pointer aliasing algorithms, arrays are treated as single variables by FSAlias and F IAlias. Some algorithms distinguish the independent fields of a structure (e.g. FSAlias, F IAlias, EGH94, WL95, ZRL96, Ste96a] while others do not (e.g. SH97b, Ste96b, FRD00, FFA00, Das00] An added complication is presented by non visible object names. The non visibles are local variables of procedures live at the call site (or in an earlier invocation of the current procedure) which are accessible through an alias, although not visible directly in the current scope. ....

....imprecise aliases being created. FSAlias has worst case polynomial time complexity. 2.6.2 FIAlias F IAlias is a fast coarse grained alternative to FSAlias. FIAlias is a flow context insensitive algorithm [Cou86, Gua88, BCCH94, And94, SH97b, Ste96b, ZRL96, Zha98, Wei80, HP98, RC00, Das00, FRD00, FFA00] which calculates the same points to sets as Steensgaard s algorithm, although independently derived [Ste96b, Zha95] we do not describe it as a non standard type analysis and we do not use constraint based solution procedures. Aliasing is expressed as a relation between pairs of object names, ....

[Article contains additional citation context not shown here]

J. Foster, M. Fahndrich, and A. Aiken. Polymorphic versus monomorphic flow-insensitive points-to analysis for c. In in Proceedings of International Symposium on Static Analysis, April 2000.

....for clients such as sidee #ect analysis and def use analysis. 7 Related Work Points to analysis for object references in Java is clearly related to pointer analysis for imperative languages such as C. There are various pointer analyses for C with di#erent tradeo#s between cost and precision [26, 24, 16, 5, 33, 44, 36, 35, 27, 20, 12, 18, 10]. The closest related work from this category are the e#cient constraint based implementations of Andersen s analysis [17, 38] which use the inductive form representation together with e#cient resolution techniques such as cycle elimination and projection merging. Our work extends this approach ....

J. Foster, M. Fahndrich, and A. Aiken. Polymorphic versus monomorphic flow-insensitive points-to analysis for C. In Static Analysis Symposium, LNCS 1824, pages 175--198, 2000.

....In this paper we consider a constraint language with simple inequality constraints over a lattice. Such constraints show up in several type based program analyses such as flow analyses, e.g. Mos97] binding time analyses, e.g. DHM95] usage analyses, e.g. TWM95] points to analyses, e.g. [FFA00] and uniqueness type systems [BS96] We extend this simple constraint language with constraint abstractions which allow the constraints to compactly express substitution instantiation. The main result of this paper is a constraint solving algorithm which computes least solutions to the extended ....

.... be used to yield a cubic algorithm for Mossin s polymorphic flow analysis with flow subtyping and flow polymorphic recursion [Mos97] We believe that our approach can be applied to a number of other type based program analyses such as binding time analyses, e.g. DHM95] points to analyses, e.g. [FFA00] and uniqueness type systems [BS96] An interesting possibility for future work is to explore alternative constraint solving algorithms. The current algorithm has a rather compositional character in that, it rewrites the body of a constraint abstraction without considering how it is called. In ....

J. Foster, M. Fandrich, and A. Aiken. Polymorphic versus Monomorphic Flow-insensitive Points-to Analysis for C. In Proceedings of 2000 Static Analysis Symposium, 2000.

....di#cult because pointers allow indirect memory accesses and indirect procedure calls. Typically, mod analysis uses the output of 1 a points to analysis to resolve indirect memory accesses and to determine the targets of indirect calls. Various wholeprogram points to analyses have been developed [15, 13, 7, 2, 27, 24, 28, 22, 16, 11, 6, 9, 4]. Our work is focused on the category of flow and context insensitive analyses [2, 24, 28, 22, 6] Such analyses ignore the flow of control between program points and do not distinguish between di#erent calling contexts of procedures. As a result, analyses from this category are very e#cient and ....

....points to and mod analyses, and are not included in the representation. Because of the weak type system of C (due to typecasting and union types) we assume that type information is not used in the points to and mod analyses 1 , and therefore the program representation is untyped. Similarly to [24, 22, 21, 8, 11, 6, 9, 14], we assume that the analyses treat structures and arrays as monolithic objects and do not distinguish between their individual elements. Finally, we assume that calls to malloc and other heap allocating functions are replaced by statements of the form x = heap i , where heap i is a variable ....

[Article contains additional citation context not shown here]

J. Foster, M. Fahndrich, and A. Aiken. Polymorphic versus monomorphic flow-insensitive points-to analysis for C. In Static Analysis Symposium, LNCS 1824, pages 175--198, 2000.

....in a given variable p. This information is used to estimate the set of locations indirectly read or written through p. Without points to information, many subsequent analyses and optimizations would be impossible. There are many points to analyses for C with various degrees of cost and precision [25, 24, 18, 4, 31, 39, 33, 32, 19, 26, 34, 21, 30, 14, 20, 10]. There is growing interest in pointsto analysis for object oriented languages; for example, for Java the goal of points to analysis is to determine the set of objects pointed to by a reference variable or a reference object field. This information can be used (i) to construct the program call ....

....applications such as def use analysis and side e#ect analysis. 9 Related Work Points to analysis for object references in Java is clearly related to pointer analysis for imperative languages such as C. There are various pointer analyses for C with di#erent tradeo#s between cost and precision [25, 24, 18, 4, 31, 39, 33, 32, 19, 26, 34, 21, 30, 14, 20, 10]. The closest related work from this category are the e#cient constraint based implementations of Andersen s analysis from [19] and [34] This work shows how to reduce the cost of Andersen s analysis by using the inductive form representation together with e# cient resolution techniques such as ....

J. Foster, M. Fahndrich, and A. Aiken. Polymorphic versus monomorphic flow-insensitive points-to analysis for C. In Static Analysis Symposium, 2000.

....for C by Steensgaard [35] A comparison of Andersen s analysis and Steensgaard s analysis has been presented by Shapiro and Horwitz [31] The unification based approach is cheaper and less precise than the 0 CFA style approach. 11 A broader comparison was given by Foster, Fahndrich, and Aiken [15]; they compared both polymorphic versus monomorphic and equality based versus inclusion based points to analysis. Their main conclusion is that the monomorphic inclusion based algorithm is a good choice because 1) it usually beats the polymorphic equality based algorithm, 2) it is not much worse ....

....well shed more light on which algorithm to choose. Perhaps 0 CFA needs to be a fair bit better than the other algorithms before it becomes tempting to implement the program transformation that enables 0 CFA for Java bytecodes. While adding Hindley Milner polymorphism seems not to be worthwhile [15], we have conducted some initial experiments with the use of data polymorphism. The idea is well known: treat each distinct allocation site as a separate class, and keep the fields in these artificial classes distinct [27, 18] Similarly, distinct sets may be used when methods are invoked on ....

Foster, J. S., F ahndrich, M., and Aiken, A. Polymorphic versus monomorphic flow-insensitive points-to analysis for C. In Proceedings of SAS 2000, 7th Static Analysis Symposium (2000), J. Palsberg, Ed., pp. 175--198.

No context found.

Je#rey S. Foster, Manuel Fahndrich, and Alexander Aiken. Polymorphic versus Monomorphic Flow-insensitive Points-to Analysis for C. In Jens Palsberg, editor, Static Analysis, Seventh International Symposium, volume 1824 of Lecture Notes in Computer Science, pages 175--198, Santa Barbara, CA, June/July 2000. SpringerVerlag.

No context found.

FFA00. J. S. Foster, M. Fahndrich, and A. Aiken. Polymorphic versus monomorphic flow-insensitive points-to analysis for C. In Proceedings of the 7'th International Static Analysis Symposium, 2000.

....from the quanti ed type to the environment. If used na vely, rule (Quant) amounts to analyzing a program in which all function calls have been inlined. In order to make the polymorphic analyses tractable, we perform a number of simpli cations to reduce the sizes of quanti ed types. See [17] for a discussion of the simpli cations we use. As an example of the potential bene t of polymorphic points to analysis, consider the following atypical C program: int id(int x) return x; int main( int a, b, c, d; c = id( a) d = id( b) In the notation in this paper id is de ....

....monomorphic Andersen s analysis all inputs to id ow to all outputs. Thus we discover that c and d both point to a and b. Polymorphic Andersen s analysis assigns id type 8X ; R id : lam(l id ; X ; R id )n ref (l x ; X ; X ) proj (ref ; 2; R id ) Solving these constraints and simplifying (see [17]) yields 8X : lam(l id ; X ; X )n; In other words, id is the identity function. Because this type is instantiated for each call of id, the points to sets are computed exactly: c points to a and d points to b. There are several important observations about the type system. First, function ....

[Article contains additional citation context not shown here]

J. S. Foster, M. Fahndrich, and A. Aiken. Polymorphic versus Monomorphic Flowinsensitive Points-to Analysis for C. Technical report, University of California, Berkeley, Apr. 2000.

No context found.

J. S. Foster, M. Fahndrich, and A. Aiken. Polymorphic versus monomorphic flow-insensitive points-to analysis for C. In Proc. Static Analysis Symposium, volume 1824 of LNCS, pages 175--198. Springer-Verlag, 2000.

No context found.

J.S. Foster, M. F ahndrich, and A. Aiken. Polymorphic versus monomorphic flow-insensitive points-to analysis for C. In SAS, 2000.

No context found.

J.S. Foster, M. Fahndrich, and A. Aiken. Polymorphic versus monomorphic flowinsensitive points-to analysis for C. In SAS, 2000.

No context found.

J. Foster, M. Fahndrich, and A. Aiken. Polymorphic versus monomorphic flow-insensitive points-to analysis for C. In SAS, LNCS 1824, pages 175--198, 2000.

No context found.

Foster, J., Fhndrich, M., and Aiken, A.: 2000, `Polymorphic versus Monomorphic Flow-insensitive Points-to Analysis for C'. In: Static Analysis Symposium. pp. 175--198.

No context found.

Je#rey S. Foster, Manuel Fahndrich, and Alexander Aiken. Polymorphic versus monomorphic flowinsensitive points-to analysis for C. In Proceedings of the Static Analysis Symposium, 2001.

No context found.

Je#rey S. Foster, Manuel Fahndrich, and Alexander Aiken. Polymorphic versus monomorphic flow-insensitive points-to analysis for C. In Proceedings of the Static Analysis Symposium, 2000.

No context found.

Je#rey S. Foster, Manuel Fahndrich, and Alexander Aiken. Polymorphic versus monomorphic flowinsensitive points-to analysis for C. In SAS, 2001.

No context found.

J. S. Foster, M. F ahndrich, and A. Aiken. Polymorphic versus monomorphic flow-insensitive points-to analysis for C. In pages 175--198, Apr. 2000.

No context found.

J. S. Foster, M. Fahndrich, and A. Aiken. Polymorphic versus monomorphic flow-insensitive points-to analysis for C. In pages 175--198, Apr. 2000.

No context found.

Foster, J., Fahndrich, M., Aiken, A.: Polymorphic versus monomorphic flow-insensitive points-to analysis for C. In: Static Analysis Symp. (2000) 175--198

No context found.

J. S. Foster, M. Fahndrich, and A. Aiken. Polymorphic versus monomorphic flow-insensitive points-to analysis for C. In Proc. Static Analysis Symposium, volume 1824 of LNCS, pages 175--198. Springer-Verlag, 2000.

No context found.

J. Foster, M. Fahndrich, and A. Aiken. Polymorphic versus monomorphic flowinsensitive points-to analysis for C. In Static Analysis Symposium, LNCS 1824, pages 175--198, 2000.

No context found.

J. S. Foster, M. Fahndrich, and A. Aiken. Polymorphic versus monomorphic flowinsensitive points-to analysis for C. In Static Analysis Symposium, pages 175--198, 2000.

No context found.

J. Foster, M. Fahndrich, and A. Aiken. Polymorphic versus monomorphic flowinsensitive points-to analysis for C. In SAS, LNCS 1824, pages 175--198, 2000.

No context found.

Jeffrey S. Foster, Manuel Fahndrich, and Alexander Aiken. Polymorphic versus monomorphic flow-insensitive points-to analysis for C. In International Static Analysis Symposium, pages 175--198, 2000.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC