... This paper concerns the problem of interprocedural slicing---generating a slice of an entire program, where the slice crosses the boundaries of procedure calls. To solve this problem, we introduce a new kind of graph to represent programs, called a system dependence graph, which extends previous dependence representations to incorporate collections of procedures (with procedure calls) rather than just monolithic programs. Our main result is an algorithm for interprocedural slicing that uses the new representation. (It should be noted that our work concerns a somewhat restricted kind of slice: Rather than permitting a program to be sliced with respect to program point p and an arbitrary variable, a slice must be taken with respect to a variable that is defined or used at p.) The chief

Software engineers are faced with a dilemma. They want to write general and wellstructured programs that are flexible and easy to maintain. On the other hand, generality has a price: efficiency. A specialized program solving a particular problem is often significantly faster than a general program. However, the development of specialized software is time-consuming, and is likely to exceed the production of today’s programmers. New techniques are required to solve this so-called software crisis. Partial evaluation is a program specialization technique that reconciles the benefits of generality with efficiency. This thesis presents an automatic partial evaluator for the Ansi C programming language. The content of this thesis is analysis and transformation of C programs. We develop several analyses that support the transformation of a program into its generating extension. A generating extension is a program that produces specialized programs when executed on parts of the input. The thesis contains the following main results.

This paper proposes an efficient technique for contextsensitive pointer analysis that is applicable to real C programs. For efficiency, we summarize the effects of procedures using partial transfer functions. A partial transfer function (PTF) describes the behavior of a procedure assuming that certain alias relationships hold when it is called. We can reuse a PTF in many calling contexts as long as the aliases among the inputs to the procedure are the same. Our empirical results demonstrate that this technique is successful---a single PTF per procedure is usually sufficient to obtain completely context-sensitive results. Because many C programs use features such as type casts and pointer arithmetic to circumvent the high-level type system, our algorithm is based on a low-level representation of memory locations that safely handles all the features of C. We have implemented our algorithm in the SUIF compiler system and we show that it runs efficiently for a set of C benchmarks. 1 Introd...

This paper shows howalarge class of interprocedural dataflow-analysis problems can be solved precisely in polynomial time. The only restrictions are that the set of dataflowfacts is a finite set, and that the dataflowfunctions distribute overthe confluence operator (either union or intersection). This class of problems includes---but is not limited to---the classical separable problems (also known as "gen/kill" or "bit-vector" problems)---e.g.,reaching definitions, available expressions, and live variables. In addition, the class of problems that our techniques handle includes manynon-separable problems, including trulylive variables, copyconstant propagation, and possibly-uninitialized variables. Anovelaspect of our approach is that an interprocedural dataflow-analysis problem is transformed into a special kind of graph-reachability problem (reachability along interprocedurally realizable paths). The paper presents three polynomial-time algorithms for the realizable-path reachability problem: an exhaustive version, a second exhaustive version that may be more appropriate in the incremental and/or interactive context, and a demand version. The first and third of these algorithms are asymptotically faster than the best previously known realizable-path reachability algorithm. An additional benefit of our techniques is that theylead to improvedalgorithms for twoother kinds of interproceduralanalysis problems: interprocedural flow-sensitive side-effect problems (as studied by Callahan) and interprocedural program slicing (as studied by Horwitz, Reps, and Binkley). CR Categories and Subject Descriptors: D.3.4 [Programming Languages]: Processors - compilers, optimization;E.1 [Data

Aliasing occurs at some program point during execution when two or more names exist for the same location. In a language which allows pointers, the problem of determining the set of pairs of names at a program point which may refer to the same location during program execution is NP-hard. We present an algorithm which safely approximates Interprocedural May Alias in the presence of pointers. This algorithm has been implemented in a prototype analysis tool for C programs. 3 The research reported here was supported, in part, by Siemens Research Corporation and NSF grant CCR8920078. y Department of Computer Science, Rutgers University, New Brunswick, NJ 08903 Contents 1 Introduction 3 2 Problem Representation 6 2.1 Interprocedural Control Flow Graph : : : : : : : : : : : : : : : : : : : : : : : : : : : 6 2.2 Types : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 6 2.3 Object Names : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : ...

This paper concerns the static analysis of programs that perform destructive updating on heap-allocated storage. We give an algorithm that conservatively solves this problem by using a finite shape-graph to approximate the possible “shapes” that heap-allocated structures in a program can take on. In contrast with previous work, our method M even accurate for certain programs that update cyclic data structures. For example, our method can determine that when the input to a program that searches a list and splices in a new element is a possibly circular list, the output is a possibly circular list.

A program pro le attributes run-time costs to portions of a program's execution. Most pro ling systems su er from two major de ciencies: rst, they only apportion simple metrics, such as execution frequency or elapsed time to static, syntactic units, such as procedures or statements; second, they aggressively reduce the volume of information collected and reported, although aggregation can hide striking di erences in program behavior. This paper addresses both concerns by exploiting the hardware counters available in most modern processors and by incorporating two concepts from data ow analysis { ow and context sensitivity{to report more context for measurements. This paper extends our previous work on e cient path pro ling to ow sensitive pro ling, which associates hardware performance metrics with a path through a procedure. In addition, it describes a data structure, the calling context tree, that e ciently captures calling contexts for procedure-level measurements. Our measurements show that the SPEC95 benchmarks execute a small number (3{28) of hot paths that account for 9{98 % of their L1 data cache misses. Moreover, these hot paths are concentrated in a few routines, which have complex dynamic behavior. 1

The first interprocedural modification side-effects analysis for C (MOD_C) that obtains better than worst-case precision on programs with general-purpose pointer usage is presented with empirical results. The analysis consists of an algorithm schema corresponding to a family of MODC algorithms with two independent phases: one for determining pointer-induced aliases and a subsequent one for propagating interprocedural side effects. These MOD_C algorithms are parameterized by the aliasing method used. The empirical results compare the performance of two dissimilar MOD_C algorithms: MOD_C(FSAlias) uses a flow-sensitive, calling-context-sensitive interprocedural alias analysis [LR92]; MOD_C(FIAlias) uses a flow-insensitive, calling-context-insensitive alias analysis which is much faster, but less accurate. These two algorithms were profiled on 45 programs ranging in size from 250 to 30,000 lines of C code, and the results demonstrate dramatically the possible cost-precision tradeoffs. This first comparative implementation of MODC analyses offers insight into the differences between flow-/context-sensitive and flow-/context-insensitive analyses. The analysis cost versus precision tradeoffs in side-effect information obtained is reported. The results show surprisingly that the precision of flow-sensitive side-effect analysis is not always prohibitive in cost, and that the precision of flow-insensitive analysis is substantially better than worst-case estimates and seems sufficient for certain applications. On average MODC (FSAlias) for procedures and calls is in the range of 20% more precise than MODC (F IAlias); however, the performance was found to be at least an order of magnitude slower than MODC (F IAlias).

Abstract not found

The number and the importance of Web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, error-prone and costly, the need for automated solutions has become evident. In this paper, we address the problem of vulnerable Web applications by means of static source code analysis. More precisely, we use flow-sensitive, interprocedural and context-sensitive data flow analysis to discover vulnerable points in a program. In addition, alias and literal analysis are employed to improve the correctness and precision of the results. The presented concepts are targeted at the general class of taint-style vulnerabilities and can be applied to the detection of vulnerability types such as SQL injection, cross-site scripting, or command injection. Pixy, the open source prototype implementation of our concepts, is targeted at detecting cross-site scripting vulnerabilities in PHP scripts. Using our tool, we discovered and reported 15 previously unknown vulnerabilities in three web applications, and reconstructed 36 known vulnerabilities in three other web applications. The observed false positive rate is at around 50 % (i.e., one false positive for each vulnerability) and therefore, low enough to permit effective security audits.