Results 1 
9 of
9
Cloningbased contextsensitive pointer alias analysis using binary decision diagrams
 In Proceedings of the ACM SIGPLAN 2004 Conference on Programming Language Design and Implementation
, 2004
"... This paper presents the first scalable contextsensitive, inclusionbased pointer alias analysis for Java programs. Our approach to context sensitivity is to create a clone of a method for every context of interest, and run a contextinsensitive algorithm over the expanded call graph to get contexts ..."
Abstract

Cited by 228 (14 self)
 Add to MetaCart
This paper presents the first scalable contextsensitive, inclusionbased pointer alias analysis for Java programs. Our approach to context sensitivity is to create a clone of a method for every context of interest, and run a contextinsensitive algorithm over the expanded call graph to get contextsensitive results. For precision, we generate a clone for every acyclic path through a program’s call graph, treating methods in a strongly connected component as a single node. Normally, this formulation is hopelessly intractable as a call graph often has 10 14 acyclic paths or more. We show that these exponential relations can be computed efficiently using binary decision diagrams (BDDs). Key to the scalability of the technique is a context numbering scheme that exposes the commonalities across contexts. We applied our algorithm to the most popular applications available on Sourceforge, and found that the largest programs, with hundreds of thousands of Java bytecodes, can be analyzed in under 20 minutes. This paper shows that pointer analysis, and many other queries and algorithms, can be described succinctly and declaratively using Datalog, a logic programming language. We have developed a system called bddbddb that automatically translates Datalog programs into highly efficient BDD implementations. We used this approach to develop a variety of contextsensitive algorithms including side effect analysis, type analysis, and escape analysis.
Scalable error detection using Boolean satisfiability
 In Proc. 32Ç È POPL. ACM
, 2005
"... We describe a software errordetection tool that exploits recent advances in boolean satisfiability (SAT) solvers. Our analysis is path sensitive, precise down to the bit level, and models pointers and heap data. Our approach is also highly scalable, which we achieve using two techniques. First, for ..."
Abstract

Cited by 93 (8 self)
 Add to MetaCart
We describe a software errordetection tool that exploits recent advances in boolean satisfiability (SAT) solvers. Our analysis is path sensitive, precise down to the bit level, and models pointers and heap data. Our approach is also highly scalable, which we achieve using two techniques. First, for each program function, several optimizations compress the size of the boolean formulas that model the control and dataflow and the heap locations accessed by a function. Second, summaries in the spirit of type signatures are computed for each function, allowing interprocedural analysis without a dramatic increase in the size of the boolean constraints to be solved. We demonstrate the effectiveness of our approach by constructing a lock interface inference and checking tool. In an interprocedural analysis of more than 23,000 lock related functions in the latest Linux kernel, the checker generated 300 warnings, of which 179 were unique locking errors, a false positive rate of only 40%.
CONTEXTSENSITIVE POINTER ANALYSIS USING BINARY DECISION DIAGRAMS
, 2007
"... in my opinion, it ..."
Using ZBDDs in pointsto analysis
 In Workshops on Languages and Compilers for Parallel Computing (LCPC
, 2007
"... Abstract. Binary Decision Diagrams (BDDs) have recently become widely accepted as a spaceefficient method of representing relations in pointsto analyses. When BDDs are used to represent relations, each element of a domain is assigned a bit pattern to represent it, but not every bit pattern represe ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Abstract. Binary Decision Diagrams (BDDs) have recently become widely accepted as a spaceefficient method of representing relations in pointsto analyses. When BDDs are used to represent relations, each element of a domain is assigned a bit pattern to represent it, but not every bit pattern represents an element. The circuit design, model checking, and verification communities have achieved significant reductions in BDD sizes using ZeroSuppressed BDDs (ZBDDs) to avoid the overhead of these don’tcare bit patterns. We adapt BDDbased program analyses to use ZBDDs instead of BDDs. Our experimental evaluation studies the space requirements of ZBDDs for both contextinsensitive and contextsensitive program analyses and shows that ZBDDs can greatly reduce the space requirements for expensive contextsensitive pointsto analysis. Using ZBDDs to reduce the size of the relations allows a compiler or other software analysis tools to analyze larger programs with greater precision. We also provide a metric that can be used to estimate whether ZBDDs will be more compact than BDDs for a given analysis. 1
Parallel inclusionbased pointsto analysis
 In Proceedings of the 24th Annual ACM SIGPLAN Conference on ObjectOriented Programming, Systems, Languages, and Applications (OOPSLA’10
, 2010
"... Inclusionbased pointsto analysis provides a good tradeoff between precision of results and speed of analysis, and it has been incorporated into several production compilers including gcc. There is an extensive literature on how to speed up this algorithm using heuristics such as detecting and col ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
Inclusionbased pointsto analysis provides a good tradeoff between precision of results and speed of analysis, and it has been incorporated into several production compilers including gcc. There is an extensive literature on how to speed up this algorithm using heuristics such as detecting and collapsing cycles of pointerequivalent variables. This paper describes a complementary approach based on exploiting parallelism. Our implementation exploits two key insights. First, we show that inclusionbased pointsto analysis can be formulated entirely in terms of graphs and graph rewrite rules. This exposes the amorphous dataparallelism in this algorithm and makes it easier to develop a parallel implementation. Second, we show that this graphtheoretic formulation reveals certain key properties of the algorithm that can be exploited to obtain an efficient parallel implementation. Our parallel implementation achieves a scaling of up to 3x on a 8core machine for a suite of ten large C programs. For all but the smallest benchmarks, the parallel analysis outperforms a stateoftheart, highly optimized, serial implementation of the same algorithm. To the best of our knowledge, this is the first parallel implementation of a pointsto analysis.
Providing a Formal Linkage between MDG and HOL
, 2002
"... We describe an approach for formally verifying the linkage between a symbolic state enumeration system and a theorem proving system. This involves the following three stages of proof. Firstly we prove theorems about the correctness of the translation part of the symbolic state system. It interface ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
We describe an approach for formally verifying the linkage between a symbolic state enumeration system and a theorem proving system. This involves the following three stages of proof. Firstly we prove theorems about the correctness of the translation part of the symbolic state system. It interfaces between low level decision diagrams and high level description languages. We ensure that the semantics of a program is preserved in those of its translated form. Secondly we prove linkage theorems: theorems that justify introducing a result from a state enumeration system into a proof system. Finally we combine the translator correctness and linkage theorems. The resulting new linkage theorems convert results to a high level language from the low level decision diagrams that the result was actually proved about in the state enumeration system.They justify importing lowlevel external verification results into a theorem prover. We use a linkage between the HOL system and a simplified version of the MDG system to illustrate the ideas and consider a small example that integrates two applications from MDG and HOL to illustrate the linkage theorems.
LEARNING EFFECTIVE BDD VARIABLE ORDERS FOR BDDBASED PROGRAM ANALYSIS
, 2006
"... ii Software reliability and security are in jeopardy. As software has become ubiquitous and its capabilities have become more complex, code quality has been sacrificed in the race for the next ”killer app. ” In response, program analysis researchers have mounted a revolution; they have developed new ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
ii Software reliability and security are in jeopardy. As software has become ubiquitous and its capabilities have become more complex, code quality has been sacrificed in the race for the next ”killer app. ” In response, program analysis researchers have mounted a revolution; they have developed new tools and methods, underpinned by traditional compilation techniques, in order to save software from its downward spiral. However, because these tools and analyses have also become more sophisticated, they too have suffered from scalability, reliability and complexity issues. Just as program analysis researchers have set out to solve the problems of software developers, we have set out to solve the problems of program analysis researchers. The bddbddb (Binary Decision DiagramBased Deductive DataBase) system has recently made possible many advanced, contextsensitive program analyses. Such analyses can be expressed in bddbddb as Datalog queries, which are quantifiably easier to write than a traditional implementation. The bddbddb system’s unique compilation mechanisms also yield
Program analysis and specialisation using tree automata
"... Abstract. Static analysis of programs using regular tree grammars has been studied for more than 30 years, the earliest example being Reynolds’ work on automatic derivation of datatype definitions from untyped functional programs. Recently the topic has attracted renewed attention, with application ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. Static analysis of programs using regular tree grammars has been studied for more than 30 years, the earliest example being Reynolds’ work on automatic derivation of datatype definitions from untyped functional programs. Recently the topic has attracted renewed attention, with applications in program specialisation, data flow analysis, shape analysis, mode and type inference, termination analysis and infinite state model checking. There are several related viewpoints on analysis using regular tree grammars, including set constraints, abstract interpretation over tree automata domain, directed types, regular approximation and regular type inference. The lectures will first summarise the relevant properties of finite tree automata, which provide a common foundation for these different viewpoints. It will then be shown how to construct an abstract interpretation over a domain of finite tree automata. Various program analyses based on this domain will be presented, such as “soft ” type construction, checking of safety properties in infinite state systems, and derivation of termsize measures for termination analysis. The lectures will also cover the construction of static analyses based on a given tree grammar capturing some properties of interest. It will be shown (for logic programs) how to build a precise analysis for a program based on an arbitrary regular tree grammar. This has applications in type and mode inference, binding time analysis for offline partial evaluation, and control of online partial evaluation. 1
Providing a Formal Linkage between MDG Verification System and HOL Proof System
, 2003
"... We describe an approach for formally linking a symbolic state enumeration system and a theorem proving system based on a verified version of the former. It has been realized using the HOL system and a simplified version of the MDG system. It involves the following three steps. Firstly, wehave verifi ..."
Abstract
 Add to MetaCart
We describe an approach for formally linking a symbolic state enumeration system and a theorem proving system based on a verified version of the former. It has been realized using the HOL system and a simplified version of the MDG system. It involves the following three steps. Firstly, wehave verified aspects of correctness of a simplified version of the MDG system. We have made certain that the semantics of a program is preserved in those of its translated form. Secondly, we have provided a formal linkage between the MDG system and the HOL system based on a set of theorems, which formally import MDG verification results into HOL theorems. Thirdly, wehave combined the translator correctness and importation theorems to allow MDG verification results to be imported in terms of a high level language (MDGHDL) rather than low level decision diagrams. We also summarize a general method of the stronger consistency theorem to prove design implementations against respective specifications. The feasibility of this approach is demonstrated in a case study that integrates two applications: hardware verification (in MDG) and usability verification (in HOL). A single HOL theorem is proved that integrates the two results.