Results 1  10
of
34
Interprocedural Slicing Using Dependence Graphs
 ACM TRANSACTIONS ON PROGRAMMING LANGUAGES AND SYSTEMS
, 1990
"... ... This paper concerns the problem of interprocedural slicinggenerating a slice of an entire program, where the slice crosses the boundaries of procedure calls. To solve this problem, we introduce a new kind of graph to represent programs, called a system dependence graph, which extends previou ..."
Abstract

Cited by 696 (78 self)
 Add to MetaCart
... This paper concerns the problem of interprocedural slicinggenerating a slice of an entire program, where the slice crosses the boundaries of procedure calls. To solve this problem, we introduce a new kind of graph to represent programs, called a system dependence graph, which extends previous dependence representations to incorporate collections of procedures (with procedure calls) rather than just monolithic programs. Our main result is an algorithm for interprocedural slicing that uses the new representation. (It should be noted that our work concerns a somewhat restricted kind of slice: Rather than permitting a program to be sliced with respect to program point p and an arbitrary variable, a slice must be taken with respect to a variable that is defined or used at p.) The chief
Interprocedural Dataflow Analysis via Graph Reachability
, 1994
"... This paper shows howalarge class of interprocedural dataflowanalysis problems can be solved precisely in polynomial time. The only restrictions are that the set of dataflow facts is a finite set, and that the dataflow functions distribute overthe confluence operator (either union or intersection). ..."
Abstract

Cited by 373 (33 self)
 Add to MetaCart
This paper shows howalarge class of interprocedural dataflowanalysis problems can be solved precisely in polynomial time. The only restrictions are that the set of dataflow facts is a finite set, and that the dataflow functions distribute overthe confluence operator (either union or intersection). This class of problems includesbut is not limited tothe classical separable problems (also known as "gen/kill" or "bitvector" problems)e.g.,reaching definitions, available expressions, and live variables. In addition, the class of problems that our techniques handle includes manynonseparable problems, including trulylive variables, copyconstant propagation, and possiblyuninitialized variables. Anovelaspect of our approach is that an interprocedural dataflowanalysis problem is transformed into a special kind of graphreachability problem (reachability along interprocedurally realizable paths). The paper presents three polynomialtime algorithms for the realizablepath reachability problem: an exhaustive version, a second exhaustive version that may be more appropriate in the incremental and/or interactive context, and a demand version. The first and third of these algorithms are asymptotically faster than the best previously known realizablepath reachability algorithm. An additional benefit of our techniques is that theylead to improved algorithms for twoother kinds of interprocedural analysis problems: interprocedural flowsensitive sideeffect problems (as studied by Callahan) and interprocedural program slicing (as studied by Horwitz, Reps, and Binkley).
Cloningbased contextsensitive pointer alias analysis using binary decision diagrams
 In Proceedings of the ACM SIGPLAN 2004 Conference on Programming Language Design and Implementation
, 2004
"... This paper presents the first scalable contextsensitive, inclusionbased pointer alias analysis for Java programs. Our approach to context sensitivity is to create a clone of a method for every context of interest, and run a contextinsensitive algorithm over the expanded call graph to get contexts ..."
Abstract

Cited by 227 (14 self)
 Add to MetaCart
This paper presents the first scalable contextsensitive, inclusionbased pointer alias analysis for Java programs. Our approach to context sensitivity is to create a clone of a method for every context of interest, and run a contextinsensitive algorithm over the expanded call graph to get contextsensitive results. For precision, we generate a clone for every acyclic path through a program’s call graph, treating methods in a strongly connected component as a single node. Normally, this formulation is hopelessly intractable as a call graph often has 10 14 acyclic paths or more. We show that these exponential relations can be computed efficiently using binary decision diagrams (BDDs). Key to the scalability of the technique is a context numbering scheme that exposes the commonalities across contexts. We applied our algorithm to the most popular applications available on Sourceforge, and found that the largest programs, with hundreds of thousands of Java bytecodes, can be analyzed in under 20 minutes. This paper shows that pointer analysis, and many other queries and algorithms, can be described succinctly and declaratively using Datalog, a logic programming language. We have developed a system called bddbddb that automatically translates Datalog programs into highly efficient BDD implementations. We used this approach to develop a variety of contextsensitive algorithms including side effect analysis, type analysis, and escape analysis.
Weighted pushdown systems and their application to interprocedural dataflow analysis
 Sci. of Comp. Prog
, 2003
"... Abstract. Recently, pushdown systems (PDSs) have been extended to weighted PDSs, in which each transition is labeled with a value, and the goal is to determine the meetoverallpaths value (for paths that meet a certain criterion). This paper shows how weighted PDSs yield new algorithms for certain ..."
Abstract

Cited by 106 (35 self)
 Add to MetaCart
Abstract. Recently, pushdown systems (PDSs) have been extended to weighted PDSs, in which each transition is labeled with a value, and the goal is to determine the meetoverallpaths value (for paths that meet a certain criterion). This paper shows how weighted PDSs yield new algorithms for certain classes of interprocedural dataflowanalysis problems. 1
Pointer analysis: Haven’t we solved this problem yet?
 PASTE'01
, 2001
"... During the past twentyone years, over seventyfive papers and nine Ph.D. theses have been published on pointer analysis. Given the tomes of work on this topic one may wonder, "Haven't we solved this problem yet?" With input from many researchers in the field, this paper describes issues related to ..."
Abstract

Cited by 82 (1 self)
 Add to MetaCart
During the past twentyone years, over seventyfive papers and nine Ph.D. theses have been published on pointer analysis. Given the tomes of work on this topic one may wonder, "Haven't we solved this problem yet?" With input from many researchers in the field, this paper describes issues related to pointer analysis and remaining open problems.
On the Complexity Analysis of Static Analyses
 Journal of the ACM
, 1999
"... . This paper argues that for many algorithms, and static analysis ..."
Abstract

Cited by 66 (3 self)
 Add to MetaCart
. This paper argues that for many algorithms, and static analysis
ContextSensitive Program Analysis as Database Queries
, 2005
"... Program analysis has been increasingly used in software engineering tasks such as auditing programs for security vulnerabilities and finding errors in general. Such tools often require analyses much more sophisticated than those traditionally used in compiler optimizations. In particular, contextse ..."
Abstract

Cited by 52 (6 self)
 Add to MetaCart
Program analysis has been increasingly used in software engineering tasks such as auditing programs for security vulnerabilities and finding errors in general. Such tools often require analyses much more sophisticated than those traditionally used in compiler optimizations. In particular, contextsensitive pointer alias information is a prerequisite for any sound and precise analysis that reasons about uses of heap objects in a program. Contextsensitive analysis is challenging because there are over 10^14 contexts in a typical large program, even after recursive cycles are collapsed. Moreover, pointers cannot be resolved in general without analyzing the entire program. This paper
Codequest: Scalable source code queries with datalog
 In ECOOP Proceedings
, 2006
"... Abstract. Source code querying tools allow programmers to explore relations between different parts of the code base. This paper describes such a tool, named CodeQuest. It combines two previous proposals, namely the use of logic programming and database systems. As the query language we use safe Dat ..."
Abstract

Cited by 42 (0 self)
 Add to MetaCart
Abstract. Source code querying tools allow programmers to explore relations between different parts of the code base. This paper describes such a tool, named CodeQuest. It combines two previous proposals, namely the use of logic programming and database systems. As the query language we use safe Datalog, which was originally introduced in the theory of databases. That provides just the right level of expressiveness; in particular recursion is indispensable for source code queries. Safe Datalog is like Prolog, but all queries are guaranteed to terminate, and there is no need for extralogical annotations. Our implementation of Datalog maps queries to a relational database system. We are thus able to capitalise on the query optimiser provided by such a system. For recursive queries we implement our own optimisations in the translation from Datalog to SQL. Experiments confirm that this strategy yields an efficient, scalable code querying system. 1
Array abstractions from proofs
 CAV, volume 4590 of LNCS
, 2007
"... Abstract. We present a technique for using infeasible program paths to automatically infer Range Predicates that describe properties of unbounded array segments. First, we build proofs showing the infeasibility of the paths, using axioms that precisely encode the highlevel (but informal) rules with ..."
Abstract

Cited by 34 (3 self)
 Add to MetaCart
Abstract. We present a technique for using infeasible program paths to automatically infer Range Predicates that describe properties of unbounded array segments. First, we build proofs showing the infeasibility of the paths, using axioms that precisely encode the highlevel (but informal) rules with which programmers reason about arrays. Next, we mine the proofs for Craig Interpolants which correspond to predicates that refute the particular counterexample path. By embedding the predicate inference technique within a CounterexampleGuided AbstractionRefinement (CEGAR) loop, we obtain a method for verifying datasensitive safety properties whose precision is tailored in a program and propertysensitive manner. Though the axioms used are simple, we show that the method suffices to prove a variety of arraymanipulating programs that were previously beyond automatic model checkers. 1