The first interprocedural modification side-effects analysis for C (MOD_C) that obtains better than worst-case precision on programs with general-purpose pointer usage is presented with empirical results. The analysis consists of an algorithm schema corresponding to a family of MODC algorithms with two independent phases: one for determining pointer-induced aliases and a subsequent one for propagating interprocedural side effects. These MOD_C algorithms are parameterized by the aliasing method used. The empirical results compare the performance of two dissimilar MOD_C algorithms: MOD_C(FSAlias) uses a flow-sensitive, calling-context-sensitive interprocedural alias analysis [LR92]; MOD_C(FIAlias) uses a flow-insensitive, calling-context-insensitive alias analysis which is much faster, but less accurate. These two algorithms were profiled on 45 programs ranging in size from 250 to 30,000 lines of C code, and the results demonstrate dramatically the possible cost-precision tradeoffs. This first comparative implementation of MODC analyses offers insight into the differences between flow-/context-sensitive and flow-/context-insensitive analyses. The analysis cost versus precision tradeoffs in side-effect information obtained is reported. The results show surprisingly that the precision of flow-sensitive side-effect analysis is not always prohibitive in cost, and that the precision of flow-insensitive analysis is substantially better than worst-case estimates and seems sufficient for certain applications. On average MODC (FSAlias) for procedures and calls is in the range of 20% more precise than MODC (F IAlias); however, the performance was found to be at least an order of magnitude slower than MODC (F IAlias).

Relevant context inference (RCI) is a modular technique for flow- and context-sensitive data-flow analysis of statically typed object-oriented programming languages such as C ++ and Java. RCI can be used to analyze complete programs as well as incomplete programs such as libraries; this approach does not require that the entire program be memoryresident during the analysis. RCI is presented in the context of points-to analysis for a realistic subset of C ++ . The empirical evidence obtained from a prototype implementation argues the effectiveness of RCI. 1 Introduction Points-to analysis [EGH94] for statically typed objectoriented programming languages (e.g., Java, C ++ ) determines, at each program point, the objects to which a pointer may point during execution. This information is crucial to many applications, including static resolution of dynamically dispatched calls, side-effect analysis, data-flow-based testing, program slicing and aggressive compiler optimizations. The s...

We show how to determine statically whether it is safe for untrusted machine code to be loaded into a trusted host system. Our safety-checking technique operates directly on the untrusted machine-code program, requiring only that the initial inputs to the untrusted program be annotated with typestate information and linear constraints. This approach opens up the possibility of being able to certify code produced by any compiler from any source language, which gives the code producers more freedom in choosing the language in which they write their programs. It eliminates the dependence of safety on the correctness of the compiler because the final product of the compiler is checked. It leads to the decoupling of the safety policy from the language in which the untrusted code is written, and consequently, makes it possible for safety checking to be performed with respect to an extensible set of safety properties that are specified on the host side. We have implemented a prototype safety checker for SPARC machine-language programs, and applied the safety checker to several examples. The safety checker was able to either prove that an example met the necessary safety conditions, or identify the places where the safety conditions were violated. The checking times ranged from less than a second to 14 seconds on an UltraSPARC machine.

Data-flow-based testing is a well-established approach to program testing. Much object-oriented code is written as libraries; hence data-flow-based testing of object-oriented libraries is of great importance. However, finding def-use relationships in libraries written in object-oriented languages (e.g., Java and C++) is di#cult because of unknown aliasing between parameters, unknown concrete types of the parameters, dynamic dispatch and exceptions. We present the first algorithm for finding def-use relationships in object-oriented libraries that overcomes the above di#culties. We also show how the information computed by our algorithm can be used in generating relevant test cases. Our algorithm is flow- and context-sensitive and based on our earlier points-to analysis [CRL99] 1

OF THE DISSERTATION Modular Data-flow Analysis of Statically Typed Object-oriented Programming Languages by Ramkrishna Chatterjee Dissertation Director: Barbara Gershon Ryder Abstract The solution of data-flow analysis of object-oriented programming languages such as C++/Java is needed for many important applications: aggressive code optimization, side-e#ect analysis, program specialization, program slicing and data-flow-based testing. However, data-flow analysis of object-oriented programming languages is di#cult due to a large number of heap-allocated objects whose fields point to other heap-allocated objects (recursive structures), dynamic dispatch, frequent method invocations, a large number of methods, many invocation contexts per method and exceptions. In this thesis we present a new data-flow analysis technique called Relevant Context Inference (RCI) for modular, flow- and context-sensitive data-flow analysis of statically typed object-oriented programming languages such ...

Pointer aliasing analysis is used to determine if two object names containing dereferences and/or field selectors, (e.g., *p,q->t), may refer to the same location during execution. Such information is necessary for applications such as data-flow-based testers, program understanding tools, and debuggers, but is expensive to calculate with acceptable precision. Incremental algorithms update data flow information after a program change rather than recomputing it from scratch, with the belief that the change impact will be limited. Two versions of a practical incremental pointer aliasing algorithm have been developed, based on Landi-Ryder flow- and context-sensitive alias analysis. Empirical results attest to the time savings over exhaustive analysis (a six-fold speedup on average), and the precision of the approximate solution obtained (on average same solution as exhaustive algorithm for 75% of the tests.)

. The problem of concrete type-inference for statically typed object-oriented programming languages (e.g., Java, C ++ ) determines at each program point, those objects to which a reference may refer or a pointer may point during execution. We present a new technique called analysis-using-abstract-values which performs modular and demanddriven concrete type-inference of a robust subset of Java without threads and exceptions and C ++ without exceptions. Our algorithm is provably precise on programs with only single-level types 2 and without dynamic dispatch, and has the worst-case complexity of O(n 4 ) which is an improvement over the O(n 7 ) worst-case bound achievable by applying previous approaches of [RHS95] and [LR91] to this case. For general programs, the algorithm is polynomial-time and computes a safe solution. 1 Introduction The problem of concrete type-inference for statically typed object-oriented programming languages (e.g., Java, C ++ ) is to determine at each...