Heap Abstractions for Static Analysis

Heap data is potentially unbounded and seemingly arbitrary. As a consequence, unlike stack and static memory, heap memory cannot be abstracted directly in terms of a fixed set of source variable names appearing in the program being analysed. This makes it an interesting topic of study and there is an abundance of literature employing heap abstractions. Although most studies have addressed similar concerns, their formulations and formalisms often seem dissimilar and some times even unrelated. Thus, the insights gained in one description of heap abstraction may not directly carry over to some other description. This survey is a result of our quest for a unifying theme in the existing descriptions of heap abstractions. In particular, our interest lies in the abstractions and not in the algorithms that construct them. In our search of a unified theme, we view a heap abstraction as consisting of two features: a heap model to represent the heap memory and a summarization technique for bounding the heap representation. We classify the models as storeless, store based, and hybrid. We describe various summarization techniques based on k-limiting, allocation sites, patterns, variables, other generic instrumentation predicates, and higher-order logics. This approach allows us to compare the insights of a large number of seemingly dissimilar heap abstractions and also paves way for creating new abstractions by mix-and-match of models and summarization techniques.Comment: 49 pages, 20 figure

Interprocedural Data Flow Analysis in Soot using Value Contexts

An interprocedural analysis is precise if it is flow sensitive and fully context-sensitive even in the presence of recursion. Many methods of interprocedural analysis sacrifice precision for scalability while some are precise but limited to only a certain class of problems. Soot currently supports interprocedural analysis of Java programs using graph reachability. However, this approach is restricted to IFDS/IDE problems, and is not suitable for general data flow frameworks such as heap reference analysis and points-to analysis which have non-distributive flow functions. We describe a general-purpose interprocedural analysis framework for Soot using data flow values for context-sensitivity. This framework is not restricted to problems with distributive flow functions, although the lattice must be finite. It combines the key ideas of the tabulation method of the functional approach and the technique of value-based termination of call string construction. The efficiency and precision of interprocedural analyses is heavily affected by the precision of the underlying call graph. This is especially important for object-oriented languages like Java where virtual method invocations cause an explosion of spurious call edges if the call graph is constructed naively. We have instantiated our framework with a flow and context-sensitive points-to analysis in Soot, which enables the construction of call graphs that are far more precise than those constructed by Soot's SPARK engine.Comment: SOAP 2013 Final Versio

Potentials with Two Shifted Sets of Equally Spaced Eigenvalues and Their Calogero Spectrum

Motivated by the concept of shape invariance in supersymmetric quantum mechanics, we obtain potentials whose spectrum consists of two shifted sets of equally spaced energy levels. These potentials are similar to the Calogero-Sutherland model except the singular term $\alpha x^{-2}$ always falls in the transition region $-1/4 < \alpha < 3/4$ and there is a delta-function singularity at x=0.Comment: Latex, 12 pages, Figures available from Authors, To appear in Physics Letters A. Please send requests for figures to [email protected] or [email protected]

Non-Central Potentials and Spherical Harmonics Using Supersymmetry and Shape Invariance

It is shown that the operator methods of supersymmetric quantum mechanics and the concept of shape invariance can profitably be used to derive properties of spherical harmonics in a simple way. The same operator techniques can also be applied to several problems with non-central vector and scalar potentials. As examples, we analyze the bound state spectra of an electron in a Coulomb plus an Aharonov-Bohm field and/or in the magnetic field of a Dirac monopole.Comment: Latex, 12 pages. To appear in American Journal of Physic

Methods for Generating Quasi-Exactly Solvable Potentials

We describe three different methods for generating quasi-exactly solvable potentials, for which a finite number of eigenstates are analytically known. The three methods are respectively based on (i) a polynomial ansatz for wave functions; (ii) point canonical transformations; (iii) supersymmetric quantum mechanics. The methods are rather general and give considerably richer results than those available in the current literature.Comment: 12 pages, LaTe

Generalized Points-to Graphs: A New Abstraction of Memory in the Presence of Pointers

Flow- and context-sensitive points-to analysis is difficult to scale; for top-down approaches, the problem centers on repeated analysis of the same procedure; for bottom-up approaches, the abstractions used to represent procedure summaries have not scaled while preserving precision. We propose a novel abstraction called the Generalized Points-to Graph (GPG) which views points-to relations as memory updates and generalizes them using the counts of indirection levels leaving the unknown pointees implicit. This allows us to construct GPGs as compact representations of bottom-up procedure summaries in terms of memory updates and control flow between them. Their compactness is ensured by the following optimizations: strength reduction reduces the indirection levels, redundancy elimination removes redundant memory updates and minimizes control flow (without over-approximating data dependence between memory updates), and call inlining enhances the opportunities of these optimizations. We devise novel operations and data flow analyses for these optimizations. Our quest for scalability of points-to analysis leads to the following insight: The real killer of scalability in program analysis is not the amount of data but the amount of control flow that it may be subjected to in search of precision. The effectiveness of GPGs lies in the fact that they discard as much control flow as possible without losing precision (i.e., by preserving data dependence without over-approximation). This is the reason why the GPGs are very small even for main procedures that contain the effect of the entire program. This allows our implementation to scale to 158kLoC for C programs