4 research outputs found
Probabilistic pointer analysis for multithreaded programs
The use of pointers and data-structures based on pointers results in circular
memory references that are interpreted by a vital compiler analysis, namely
pointer analysis. For a pair of memory references at a program point, a typical
pointer analysis specifies if the points-to relation between them may exist,
definitely does not exist, or definitely exists. The "may be" case, which
describes the points-to relation for most of the pairs, cannot be dealt with by
most compiler optimizations. This is so to guarantee the soundness of these
optimizations. However, the "may be" case can be capitalized by the modern
class of speculative optimizations if the probability that two memory
references alias can be measured. Focusing on multithreading, a prevailing
technique of programming, this paper presents a new flow-sensitive technique
for probabilistic pointer analysis of multithreaded programs. The proposed
technique has the form of a type system and calculates the probability of every
points-to relation at each program point. The key to our approach is to
calculate the points-to information via a post-type derivation. The use of type
systems has the advantage of associating each analysis results with a
justification (proof) for the correctness of the results. This justification
has the form of a type derivation and is very much required in applications
like certified code.Comment: 12 page
Recommended from our members
Precise Scalable Static Analysis for Application-Specific Security Guarantees
This dissertation presents Pidgin, a static program analysis and understanding tool that enables the specification and enforcement of precise application-specific information security guarantees. Pidgin also allows developers to interactively explore the information flows in their applications to develop policies and investigate counter-examples.
Pidgin combines program dependence graphs (PDGs), which precisely capture the in- formation flows in a whole application, with a custom PDG query language. Queries express properties about the paths in the PDG; because paths in the PDG correspond to information flows in the application, queries can be used to specify global security policies.
The effectiveness of Pidgin depends on the precision of the static analyses used to produce program dependence graphs. In particular it depends on the precision of a points-to analysis. Points-to analysis is a foundational static analysis that estimates the memory locations pointer expressions can refer to at runtime. Points-to information is used by clients ranging from compiler optimizations to security tools like Pidgin. The precision of these client analyses relies on the precision of the points-to analysis. In this dissertation we investigate points-to analysis performance/precision trade-offs, including a novel points-to analysis for object-oriented languages designed to help establish object invariants.
This dissertation describes the design and implementation of Pidgin and the points-to analyses that allow Pidgin and other static analyses to scale to large applications. We report on using Pidgin: (1) to explore information security guarantees in legacy programs; (2) to develop and modify security policies concurrently with application development; and (3) to develop policies based on known vulnerabilities.Engineering and Applied Sciences - Computer Scienc
Understanding Uncertainty in Static Pointer Analysis
Institute for Computing Systems ArchitectureFor programs that make extensive use of pointers, pointer analysis is often critical
for the effectiveness of optimising compilers and tools for reasoning about program
behaviour and correctness. Static pointer analysis has been extensively studied and
several algorithms have been proposed, but these only provide approximate solutions.
As such inaccuracy may hinder further optimisations, it is important to understand
how short these algorithms come of providing accurate information about the points-to
relations.
This thesis attempts to quantify the amount of uncertainty of the points-to relations
that remains after a state-of-the-art context- and flow-sensitive pointer analysis algorithm
is applied to a collection of programs from two well-known benchmark suites:
SPEC integer and MediaBench. This remaining static uncertainty is then compared
to the run-time behaviour. Unlike previous work that compared run-time behaviour
against less accurate context- and flow-insensitive algorithms, the goal of this work is
to quantify the amount of uncertainty that is intrinsic to the applications and that defeat
even the most accurate static analyses.
In a first step to quantify the uncertainties, a compiler framework was proposed and
implemented. It is based on the SUIF1 research compiler framework and the SPAN
pointer analysis package. This framework was then used to collect extensive data
from the static points-to analysis. It was also used to drive a profiled execution of the
programs in order to collect the real run-time points-to data. Finally, the static and the
run-time data were compared.
Experimental results show that often the static pointer analysis is very accurate, but
for some benchmarks a significant fraction, up to 25%, of their accesses via pointer dereferences
cannot be statically fully disambiguated. We find that some 27% of these
de-references turn out to access a single memory location at run time, but many do
access several different memory locations. We find that the main reasons for this are
the use of pointer arithmetic and the fact that some control paths are not taken. The
latter is an example of a source of uncertainty that is intrinsic to the application
Recommended from our members
Summary-Based Pointer Analysis Framework for Modular Bug Finding
Modern society is irreversibly dependent on computers and, consequently, on software. However, as the complexity of programs increase, so does the number of defects within them. To alleviate the problem, automated techniques are constantly used to improve software quality. Static analysis is one such approach in which violations of correctness properties are searched and reported. Static analysis has many advantages, but it is necessarily conservative because it symbolically executes the program instead of using real inputs, and it considers all possible executions simultaneously. Being conservative often means issuing false alarms, or missing real program errors. Pointer variables are a challenging aspect of many languages that can force static analysis tools to be overly conservative. It is often unclear what variables are affected by pointer-manipulating expressions, and aliasing between variables is one of the banes of program analysis. To alleviate that, a common solution is to allow the programmer to provide annotations such as declaring a variable as unaliased in a given scope, or providing special constructs such as the "never-null" pointer of Cyclone. However, programmers rarely keep these annotations up-to-date. The solution is to provide some form of pointer analysis, which derives useful information about pointer variables in the program. An appropriate pointer analysis equips the static tool so that it is capable of reporting more errors without risking too many false alarms. This dissertation proposes a methodology for pointer analysis that is specially tailored for "modular bug finding." It presents a new analysis space for pointer analysis, defined by finer-grain "dimensions of precision," which allows us to explore and evaluate a variety of different algorithms to achieve better trade-offs between analysis precision and efficiency. This framework is developed around a new abstraction for computing points-to sets, the Assign-Fetch Graph, that has many interesting features. Empirical evaluation shows promising results, as some unknown errors in well-known applications were discovered