Results 1 - 10 of 629

Points-to Analysis in Almost Linear Time

by Bjarne Steensgaard , 1996
"... We present an interprocedural flow-insensitive points-to analysis based on type inference methods with an almost linear time cost complexity. To our knowledge, this is the asymptotically fastest non-trivial interprocedural points-to analysis algorithm yet described. The algorithm is based on a non-s ..."
Abstract - Cited by 595 (3 self) - Add to MetaCart
We present an interprocedural flow-insensitive points-to analysis based on type inference methods with an almost linear time cost complexity. To our knowledge, this is the asymptotically fastest non-trivial interprocedural points-to analysis algorithm yet described. The algorithm is based on a non-standard type system. The type inferred for any variable represents a set of locations and includes a type which in turn represents a set of locations possibly pointed to by the variable. The type inferred for a function variable represents a set of functions it may point to and includes a type signature for these functions. The results are equivalent to those of a flow-insensitive alias analysis (and control flow analysis) that assumes alias relations are reflexive and transitive. This work makes
(Show Context)

Compositional Pointer and Escape Analysis for Java Programs

by John Whaley, Martin Rinard - In Proceedings of the 14th Annual Conference on Object-Oriented Programming Systems, Languages and Applications , 1999
"... algorithm for Java programs. The algorithm is based on the abstraction of points-to escape graphs, which characterize how local variables and elds in objects refer to other objects. Each points-to escape graph also contains escape information, which characterizes how objects allocated in one region ..."
Abstract - Cited by 267 (29 self) - Add to MetaCart
algorithm for Java programs. The algorithm is based on the abstraction of points-to escape graphs, which characterize how local variables and elds in objects refer to other objects. Each points-to escape graph also contains escape information, which characterizes how objects allocated in one region of the program can escape to be accessed by another region. The algorithm is designed to analyze arbitrary regions of complete or incomplete programs, obtaining complete information for objects that do not escape the analyzed regions.
(Show Context)

Locating Features in Source Code

by Thomas Eisenbarth, Rainer Koschke, Daniel Simon , 2003
"... Understanding the implementation of a certain feature of a system requires to identify the computational units of the system that contribute to this feature. In many cases, the mapping of features to the source code is poorly documented. In this paper, we present a semi-automatic technique that reco ..."
Abstract - Cited by 243 (3 self) - Add to MetaCart
Understanding the implementation of a certain feature of a system requires to identify the computational units of the system that contribute to this feature. In many cases, the mapping of features to the source code is poorly documented. In this paper, we present a semi-automatic technique that reconstructs the mapping for features that are triggered by the user and exhibit an observable behavior. The mapping is in general not injective; that is, a computational unit may contribute to several features. Our technique allows to distinguish between general and specific computational units with respect to a given set of features. For a set of features, it also identifies jointly and distinctly required computational units.
(Show Context)

Backwards-compatible bounds checking for arrays and pointers in C programs

by Richard W M Jones, Paul H J Kelly, Most C, Uncaught Errors - in Distributed Enterprise Applications. HP Labs Tech Report , 1997
"... function-typed variables, virtual functions, and 7/7 call-backs. 8/8 Maintain shadow bitmap: Maintain a map indicating which storage regions are valid. Update it when stack allocations, malloc and free occur. Augment each memory access instruction with code to check whether the address is valid ..."
Abstract - Cited by 221 (0 self) - Add to MetaCart
function-typed variables, virtual functions, and 7/7 call-backs. 8/8 Maintain shadow bitmap: Maintain a map indicating which storage regions are valid. Update it when stack allocations, malloc and free occur. Augment each memory access instruction with code to check whether the address is valid [Hastings and Joyce, 1992]. Advantages: Fairly ecient Doesn't require access to source code, so can (must) be applied to all constituents of application False negatives - fails to ag accesses to a valid region using an 9/9 improperly-derived pointer 10/10 Summarise requirements: Track intended referent for each pointer It is not good enough just to check that accesses are to valid locations No change to pointer representation In order to inter-operate with unchecked code without restriction, no information can be bundled with the pointer. 11/11 How to do it . . . 3: the central idea Invariant: Assume all stored pointers are properly-derived pointers to their intended referent Im
(Show Context)

Unification-based Pointer Analysis with Directional Assignments

by Manuvir Das , 2000
"... This paper describes a new algorithm for flow and context insensitive pointer analysis of C programs. Our studies show that the most common use of pointers in C programs is in passing the addresses of composite objects or updateable values as arguments to procedures. Therefore, we have designed a lo ..."
Abstract - Cited by 217 (7 self) - Add to MetaCart
This paper describes a new algorithm for flow and context insensitive pointer analysis of C programs. Our studies show that the most common use of pointers in C programs is in passing the addresses of composite objects or updateable values as arguments to procedures. Therefore, we have designed a low-cost algorithm that handles this common case accurately. In terms of both precision and running time, this algorithm lies between Steensgaard's algorithm, which treats assignments bi-directionally using unification, and Andersen's algorithm, which treats assignments directionally using subtyping. Our "one level flow" algorithm uses a restricted form of subtyping to avoid unification of symbols at the top levels of pointer chains in the points-to graph, while using unification elsewhere in the graph. The method scales easily to large programs. For instance, we are able to analyze a 1.4 MLOC (million lines of code) program in two minutes, using less than 200MB of memory. At the same time, the pr...
(Show Context)

Scaling Java points-to analysis using Spark

by Ondrej Lhoták, Laurie Hendren - IN COMPILER CONSTRUCTION, 12TH INTERNATIONAL CONFERENCE, VOLUME 2622 OF LNCS , 2003
"... Most points-to analysis research has been done on different systems by different groups, making it difficult to compare results, and to understand interactions between individual factors each group studied. Furthermore, points-to analysis for Java has been studied much less thoroughly than for C, an ..."
Abstract - Cited by 179 (15 self) - Add to MetaCart
Most points-to analysis research has been done on different systems by different groups, making it difficult to compare results, and to understand interactions between individual factors each group studied. Furthermore, points-to analysis for Java has been studied much less thoroughly than for C, and the tradeoffs appear very different. We introduce Spark, a flexible framework for experimenting with points-to analyses for Java. Spark supports equality- and subset-based analyses, variations in field sensitivity, respect for declared types, variations in call graph construction, off-line simplification, and several solving algorithms. Spark is composed of building blocks on which new analyses can be based. We demonstrate Spark in a substantial study of factors affecting precision and efficiency of subsetbased points-to analyses, including interactions between these factors. Our results show that Spark is not only flexible and modular, but also offers superior time/space performance when compared to other points-to analysis implementations.

Parameterized Object Sensitivity for Points-to Analysis for Java

by Ana Milanova, Atanas Rountev, Barbara G. Ryder - ACM Trans. Softw. Eng. Methodol , 2002
"... The goal of points-to analysis for Java is to determine the set of objects pointed to by a reference variable or a reference object field. We present object sensitivity, a new form of context sensitivity for flow-insensitive points-to analysis for Java. The key idea of our approach is to analyze a m ..."
Abstract - Cited by 165 (21 self) - Add to MetaCart
The goal of points-to analysis for Java is to determine the set of objects pointed to by a reference variable or a reference object field. We present object sensitivity, a new form of context sensitivity for flow-insensitive points-to analysis for Java. The key idea of our approach is to analyze a method separately for each of the object names that represent runtime objects on which this method may be invoked. To ensure flexibility and practicality, we propose a parameterization framework that allows analysis designers to control the tradeo#s between cost and precision in the object-sensitive analysis.
(Show Context)

Pointer Analysis for Multithreaded Programs

by Radu Rugina, Martin Rinard - ACM SIGPLAN 99 , 1999
"... This paper presents a novel interprocedural, flow-sensitive, and context-sensitive pointer analysis algorithm for multithreaded programs that may concurrently update shared pointers. For each pointer and each program point, the algorithm computes a conservative approximation of the memory locations ..."
Abstract - Cited by 163 (12 self) - Add to MetaCart
This paper presents a novel interprocedural, flow-sensitive, and context-sensitive pointer analysis algorithm for multithreaded programs that may concurrently update shared pointers. For each pointer and each program point, the algorithm computes a conservative approximation of the memory locations to which that pointer may point. The algorithm correctly handles a full range of constructs in multithreaded programs, including recursive functions, function pointers, structures, arrays, nested structures and arrays, pointer arithmetic, casts between pointer variables of different types, heap and stack allocated memory, shared global variables, and thread-private global variables. We have implemented the algorithm in the SUIF compiler system and used the implementation to analyze a sizable set of multithreaded programs written in the Cilk multithreaded programming language. Our experimental results show that the analysis has good precision and converges quickly for our set of Cilk programs.

Fast and Accurate Flow-Insensitive Points-To Analysis

by Marc Shapiro, Susan Horwitz - IN SYMPOSIUM ON PRINCIPLES OF PROGRAMMING LANGUAGES , 1997
"... In order to analyze a program that involves pointers, it is necessary to have (safe) information about what each pointer points to. There are many different approaches to computing points-to information. This paper addresses techniques for flow- and context-insensitive interprocedural analysis of st ..."
Abstract - Cited by 162 (3 self) - Add to MetaCart
In order to analyze a program that involves pointers, it is necessary to have (safe) information about what each pointer points to. There are many different approaches to computing points-to information. This paper addresses techniques for flow- and context-insensitive interprocedural analysis of stack-based storage. The paper makes two contributions to work in this area: ffl The first contribution is a set of experiments that explore the trade-offs between techniques previously defined by Lars Andersen and Bjarne Steensgaard. The former has a cubic worst-case running time, while the latter is essentially linear. However, the former may be much more precise than the latter. We have found that in practice, Andersen's algorithm is consistently more precise than Steensgaard's. For small programs, there is very little difference in the times required by the two approaches; however, for larger programs, Andersen's algorithm can be much slower than Steensgaard's. ffl The second contrib...

Program Analysis via Graph Reachability

by Thomas Reps , 1997
"... This paper describes how a number of program-analysis problems can be solved by transforming them to graph-reachability problems. Some of the program-analysis problems that are amenable to this treatment include program slicing, certain dataflow-analysis problems, and the problem of approximating th ..."
Abstract - Cited by 157 (7 self) - Add to MetaCart
This paper describes how a number of program-analysis problems can be solved by transforming them to graph-reachability problems. Some of the program-analysis problems that are amenable to this treatment include program slicing, certain dataflow-analysis problems, and the problem of approximating the possible "shapes" that heap-allocated structures in a program can take on. Relationships between graph reachability and other approaches to program analysis are described. Some techniques that go beyond pure graph reachability are also discussed.