Boomerang: Demand-Driven Flow- and Context-Sensitive Pointer Analysis for Java

European Conference on Object-Oriented Programming Pub Date : 2016-07-01 DOI:10.4230/LIPIcs.ECOOP.2016.22

Johannes Späth, Lisa Nguyen Quang Do, Karim Ali, E. Bodden

{"title":"Boomerang: Demand-Driven Flow- and Context-Sensitive Pointer Analysis for Java","authors":"Johannes Späth, Lisa Nguyen Quang Do, Karim Ali, E. Bodden","doi":"10.4230/LIPIcs.ECOOP.2016.22","DOIUrl":null,"url":null,"abstract":"Many current program analyses require highly precise pointer \ninformation about small, tar- geted parts of a given program. This \nmotivates the need for demand-driven pointer analyses that compute \ninformation only where required. Pointer analyses generally compute \npoints-to sets of program variables or answer boolean alias \nqueries. However, many client analyses require richer pointer \ninformation. For example, taint and typestate analyses often need to \nknow the set of all aliases of a given variable under a certain \ncalling context. With most current pointer analyses, clients must \ncompute such information through repeated points-to or alias queries, increasing complexity and computation time for them. \n \nThis paper presents Boomerang, a demand-driven, flow-, field-, and \ncontext-sensitive pointer analysis for Java programs. Boomerang \ncomputes rich results that include both the possible allocation sites of a given pointer (points-to information) and all pointers that can point to those allocation sites (alias information). For increased precision and scalability, clients can query Boomerang with respect to particular calling contexts of interest. \n \nOur experiments show that Boomerang is more precise than existing \ndemand-driven pointer analyses. Additionally, using Boomerang, the \ntaint analysis FlowDroid issues up to 29.4x fewer pointer queries \ncompared to using other pointer analyses that return simpler pointer \ninfor- mation. Furthermore, the search space of Boomerang can be \nsignificantly reduced by requesting calling contexts from the client \nanalysis.","PeriodicalId":172012,"journal":{"name":"European Conference on Object-Oriented Programming","volume":"14 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"116","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"European Conference on Object-Oriented Programming","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.4230/LIPIcs.ECOOP.2016.22","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 116

Abstract

Many current program analyses require highly precise pointer information about small, tar- geted parts of a given program. This motivates the need for demand-driven pointer analyses that compute information only where required. Pointer analyses generally compute points-to sets of program variables or answer boolean alias queries. However, many client analyses require richer pointer information. For example, taint and typestate analyses often need to know the set of all aliases of a given variable under a certain calling context. With most current pointer analyses, clients must compute such information through repeated points-to or alias queries, increasing complexity and computation time for them. This paper presents Boomerang, a demand-driven, flow-, field-, and context-sensitive pointer analysis for Java programs. Boomerang computes rich results that include both the possible allocation sites of a given pointer (points-to information) and all pointers that can point to those allocation sites (alias information). For increased precision and scalability, clients can query Boomerang with respect to particular calling contexts of interest. Our experiments show that Boomerang is more precise than existing demand-driven pointer analyses. Additionally, using Boomerang, the taint analysis FlowDroid issues up to 29.4x fewer pointer queries compared to using other pointer analyses that return simpler pointer infor- mation. Furthermore, the search space of Boomerang can be significantly reduced by requesting calling contexts from the client analysis.

查看原文本刊更多论文

Boomerang:需求驱动的流和上下文敏感的Java指针分析

许多当前的程序分析需要关于给定程序的小的、目标部分的高度精确的指针信息。这激发了对需求驱动的指针分析的需求，这种分析只在需要的地方计算信息。指针分析通常计算指向程序变量集的点或回答布尔别名查询。然而，许多客户机分析需要更丰富的指针信息。例如，污点和类型状态分析通常需要知道给定变量在特定调用上下文下的所有别名集。对于大多数当前的指针分析，客户机必须通过重复的指向或别名查询来计算这些信息，这增加了它们的复杂性和计算时间。本文介绍了Boomerang，一个需求驱动的、流的、字段的和上下文敏感的Java程序指针分析。Boomerang计算丰富的结果，其中既包括给定指针的可能分配位置(指向信息)，也包括可以指向这些分配位置的所有指针(别名信息)。为了提高精度和可伸缩性，客户端可以根据感兴趣的特定调用上下文查询Boomerang。我们的实验表明，Boomerang比现有的需求驱动的指针分析更精确。此外，使用Boomerang，与使用其他返回更简单的指针信息的指针分析相比，污染分析FlowDroid发出的指针查询最多减少29.4倍。此外，通过从客户机分析中请求调用上下文，可以大大减少Boomerang的搜索空间。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

European Conference on Object-Oriented Programming

自引率

0.00%

发文量