Precise and Efficient Points-to Analysis via New Context-Sensitivity and Heap Abstraction

Points-to analysis addresses a fundamental problem in program analysis: determining statically which objects a variable or reference can point to. As a fundamental technique, many real-world clients such as bug detection, security analysis, program understanding, compiler optimization and program verification, depend on the results of points-to analysis.A long-standing problem in points-to analysis is the balance between precision and efficiency. This thesis aims to improve both ends of the balance respectively.For precision, object-sensitivity is usually considered as the most precise context-sensitivity for points-to analysis for object-oriented languages, such as Java. However, it suffers from the scalability problem when increasing the context length and thus it is hard to further improve its precision. We present BEAN, a new object-sensitivity approach for points-to analysis. By identifying and eliminating the redundant context elements which contribute nothing to the precision, BEAN is able to improve the precision of any k-object-sensitive analysis by still using a k-limiting context abstraction.For efficiency, targeting the type-dependent clients such as call graph construction, devirtualization and may-fail casting, we present MAHJONG, a new heap abstraction approach for points-to analysis. By merging equivalent automata representing type-consistent objects that are created by the allocation-site abstraction, MAHJONG enables an allocation-site-based points-to analysis to run significantly faster while achieving nearly the same precision for type-dependent clients.We extensively evaluate BEAN and MAHJONG against the state-of-the-art points-to analysis for Java with large real-world Java applications and library. The results demonstrate that both BEAN and MAHJONG have met their goals of design. BEAN has succeeded in making points-to analysis more precise at only small increases in analysis cost. MAHJONG enables points-to analysis to run significantly faster while achieving nearly the same precision for type-dependent clients. We have released BEAN and MAHJONG as open-source tools

Scalable Context-Sensitive Pointer Analysis for LLVM

Pointer analysis is indispensable for effectively verifying heap-manipulating programs. Even though it has been studied extensively, there are no publicly available pointer analyses for low-level languages that are moderately precise while scalable to large real-world programs. In this thesis, we show that existing context-sensitive unification-based pointer analyses suffer from the problem of oversharing – propagating too many abstract objects across the analysis of different procedures, which prevents them from scaling to large programs. We present a new pointer analysis for LLVM, called TeaDsa, with such an oversharing significantly reduced. We show how to further improve precision and speed of TeaDsa with extra contextual information, such as flow-sensitivity at call- and return-sites, and type information about memory accesses. We evaluate TeaDsa on the verification problem of detecting unsafe memory accesses and compare it against two state-of-the-art pointer analyses: SVF and SeaDsa. We show that TeaDsa is one order of magnitude faster than either SVF or SeaDsa, strictly more precise than SeaDsa, and, surprisingly, sometimes more precise than SVF