169 research outputs found
Scalability-First Pointer Analysis with Self-Tuning Context-Sensitivity
Context-sensitivity is important in pointer analysis to ensure high
precision, but existing techniques suffer from unpredictable scala-
bility. Many variants of context-sensitivity exist, and it is difficult
to choose one that leads to reasonable analysis time and obtains
high precision, without running the analysis multiple times.
We present the Scaler framework that addresses this problem.
Scaler efficiently estimates the amount of points-to information
that would be needed to analyze each method with different variants
of context-sensitivity. It then selects an appropriate variant for
each method so that the total amount of points-to information is
bounded, while utilizing the available space to maximize precision.
Our experimental results demonstrate that Scaler achieves pre-
dictable scalability for all the evaluated programs (e.g., speedups
can reach 10x for 2-object-sensitivity), while providing a precision
that matches or even exceeds that of the best alternative techniques
Inductive Program Synthesis via Iterative Forward-Backward Abstract Interpretation
A key challenge in example-based program synthesis is the gigantic search
space of programs. To address this challenge, various work proposed to use
abstract interpretation to prune the search space. However, most of existing
approaches have focused only on forward abstract interpretation, and thus
cannot fully exploit the power of abstract interpretation. In this paper, we
propose a novel approach to inductive program synthesis via iterative
forward-backward abstract interpretation. The forward abstract interpretation
computes possible outputs of a program given inputs, while the backward
abstract interpretation computes possible inputs of a program given outputs. By
iteratively performing the two abstract interpretations in an alternating
fashion, we can effectively determine if any completion of each partial program
as a candidate can satisfy the input-output examples. We apply our approach to
a standard formulation, syntax-guided synthesis (SyGuS), thereby supporting a
wide range of inductive synthesis tasks. We have implemented our approach and
evaluated it on a set of benchmarks from the prior work. The experimental
results show that our approach significantly outperforms the state-of-the-art
approaches thanks to the sophisticated abstract interpretation techniques
Precision-guided context sensitivity for pointer analysis
Context sensitivity is an essential technique for ensuring high precision in Java pointer analyses. It has been
observed that applying context sensitivity partially, only on a select subset of the methods, can improve the
balance between analysis precision and speed. However, existing techniques are based on heuristics that
do not provide much insight into what characterizes this method subset. In this work, we present a more
principled approach for identifying precision-critical methods, based on general patterns of value flows that
explain where most of the imprecision arises in context-insensitive pointer analysis. Accordingly, we provide
an efficient algorithm to recognize these flow patterns in a given program and exploit them to yield good
tradeoffs between analysis precision and speed.
Our experimental results on standard benchmark and real-world programs show that a pointer analysis that
applies context sensitivity partially, only on the identified precision-critical methods, preserves effectively all
(98.8%) of the precision of a highly-precise conventional context-sensitive pointer analysis (2-object-sensitive
with a context-sensitive heap), with a substantial speedup (on average 3.4X, and up to 9.2X)
Predictive Monitoring against Pattern Regular Languages
In this paper, we focus on the problem of dynamically analysing concurrent
software against high-level temporal specifications. Existing techniques for
runtime monitoring against such specifications are primarily designed for
sequential software and remain inadequate in the presence of concurrency --
violations may be observed only in intricate thread interleavings, requiring
many re-runs of the underlying software. Towards this, we study the problem of
predictive runtime monitoring, inspired by the analogous problem of predictive
data race detection studied extensively recently. The predictive runtime
monitoring question asks, given an execution , if it can be soundly
reordered to expose violations of a specification.
In this paper, we focus on specifications that are given in regular
languages. Our notion of reorderings is trace equivalence, where an execution
is considered a reordering of another if it can be obtained from the latter by
successively commuting adjacent independent actions. We first show that the
problem of predictive admits a super-linear lower bound of , where
is the number of events in the execution, and is a parameter
describing the degree of commutativity. As a result, predictive runtime
monitoring even in this setting is unlikely to be efficiently solvable.
Towards this, we identify a sub-class of regular languages, called pattern
languages (and their extension generalized pattern languages). Pattern
languages can naturally express specific ordering of some number of (labelled)
events, and have been inspired by popular empirical hypotheses, the `small bug
depth' hypothesis. More importantly, we show that for pattern (and generalized
pattern) languages, the predictive monitoring problem can be solved using a
constant-space streaming linear-time algorithm
Efficient Reflection String Analysis via Graph Coloring
Static analyses for reflection and other dynamic language features have recently increased in number and advanced in sophistication. Most such analyses rely on a whole-program model of the flow of strings, through the stack and heap. We show that this global modeling of strings remains a major bottleneck of static analyses and propose a compact encoding, in order to battle unnecessary complexity. In our encoding, strings are maximally merged if they can never serve to differentiate class members in reflection operations. We formulate the problem as an instance of graph coloring and propose a fast polynomial-time algorithm that exploits the unique features of the setting (esp. large cliques, leading to hundreds of colors for realistic programs). The encoding is applied to two different frameworks for string-guided Java reflection analysis from past literature and leads to significant optimization (e.g., a ~2x reduction in the number of string-flow inferences), for a whole-program points-to analysis that uses strings
Retrofitting parallelism onto OCaml.
OCaml is an industrial-strength, multi-paradigm programming language, widely used in industry and academia. OCaml is also one of the few modern managed system programming languages to lack support for shared memory parallel programming. This paper describes the design, a full-fledged implementation and evaluation of a mostly-concurrent garbage collector (GC) for the multicore extension of the OCaml programming language. Given that we propose to add parallelism to a widely used programming language with millions of lines of existing code, we face the challenge of maintaining backwards compatibility--not just in terms of the language features but also the performance of single-threaded code running with the new GC. To this end, the paper presents a series of novel techniques and demonstrates that the new GC strikes a balance between performance and feature backwards compatibility for sequential programs and scales admirably on modern multicore processors
Cautiously Optimistic Program Analyses for Secure and Reliable Software
Modern computer systems still have various security and reliability vulnerabilities. Well-known dynamic analyses solutions can mitigate them using runtime monitors that serve as lifeguards. But the additional work in enforcing these security and safety properties incurs exorbitant performance costs, and such tools are rarely used in practice. Our work addresses this problem by constructing a novel technique- Cautiously Optimistic Program Analysis (COPA).
COPA is optimistic- it infers likely program invariants from dynamic observations, and assumes them in its static reasoning to precisely identify and elide wasteful runtime monitors. The resulting system is fast, but also ensures soundness by recovering to a conservatively optimized analysis when a likely invariant rarely fails at runtime. COPA is also cautious- by carefully restricting optimizations to only safe elisions, the recovery is greatly simplified. It avoids unbounded rollbacks upon recovery, thereby enabling analysis for live production software.
We demonstrate the effectiveness of Cautiously Optimistic Program Analyses in three areas:
Information-Flow Tracking (IFT) can help prevent security breaches and information leaks. But they are rarely used in practice due to their high performance overhead (>500% for web/email servers). COPA dramatically reduces this cost by eliding wasteful IFT monitors to make it practical (9% overhead, 4x speedup).
Automatic Garbage Collection (GC) in managed languages (e.g. Java) simplifies programming tasks while ensuring memory safety. However, there is no correct GC for weakly-typed languages (e.g. C/C++), and manual memory management is prone to errors that have been exploited in high profile attacks. We develop the first sound GC for C/C++, and use COPA to optimize its performance (16% overhead).
Sequential Consistency (SC) provides intuitive semantics to concurrent programs that simplifies reasoning for their correctness. However, ensuring SC behavior on commodity hardware remains expensive. We use COPA to ensure SC for Java at the language-level efficiently, and significantly reduce its cost (from 24% down to 5% on x86).
COPA provides a way to realize strong software security, reliability and semantic guarantees at practical costs.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/170027/1/subarno_1.pd
- …