268 research outputs found
Flow- and context-sensitive points-to analysis using generalized points-to graphs
© Springer-Verlag GmbH Germany 2016. Bottom-up interprocedural methods of program analysis construct summary flow functions for procedures to capture the effect of their calls and have been used effectively for many analyses. However, these methods seem computationally expensive for flow- and context- sensitive points-to analysis (FCPA) which requires modelling unknown locations accessed indirectly through pointers. Such accesses are com- monly handled by using placeholders to explicate unknown locations or by using multiple call-specific summary flow functions. We generalize the concept of points-to relations by using the counts of indirection levels leaving the unknown locations implicit. This allows us to create sum- mary flow functions in the form of generalized points-to graphs (GPGs) without the need of placeholders. By design, GPGs represent both mem- ory (in terms of classical points-to facts) and memory transformers (in terms of generalized points-to facts). We perform FCPA by progressively reducing generalized points-to facts to classical points-to facts. GPGs distinguish between may and must pointer updates thereby facilitating strong updates within calling contexts. The size of GPGs is linearly bounded by the number of variables and is independent of the number of statements. Empirical measurements on SPEC benchmarks show that GPGs are indeed compact in spite of large procedure sizes. This allows us to scale FCPA to 158 kLoC using GPGs (compared to 35 kLoC reported by liveness-based FCPA). Thus GPGs hold a promise of efficiency and scalability for FCPA without compro- mising precision
Automatically Finding Bugs in Open Source Programs
We consider properties desirable for static analysis tools targeted at finding bugs in the real open source code, and review tools based on various approaches to defect detection. A static analysis tool is described, that includes a framework for flow-sensitive interprocedural dataflow analysis and scales to analysis of large
programs. The framework enables implementation of multiple checkers searching for specific bugs, such as null pointer dereference and buffer overflow, abstracting from the checkers details such as alias analysis
Understanding Program Slices
Program slicing is a useful analysis for aiding different
software engineering activities. In the past decades, various
notions of program slices have been evolved as well as a number
of methods to compute them. By now program slicing has numerous
applications in software maintenance, program comprehension,
reverse engineering, program integration, and software testing.
Usability of program slicing for real world programs depends on
many factors such as precision, speed, and scalability, which
have already been addressed in the literature. However, only a
little attention has been brought to the practical demand: when
the slices are large or difficult to understand, which often
occur in the case of larger programs, how to give an explanation
for the user why a particular element has been included in the
resulting slice. This paper describes a reasoning method about
elements of static program slices
- …