Results 1 
5 of
5
Unificationbased Pointer Analysis with Directional Assignments
, 2000
"... This paper describes a new algorithm for flow and context insensitive pointer analysis of C programs. Our studies show that the most common use of pointers in C programs is in passing the addresses of composite objects or updateable values as arguments to procedures. Therefore, we have designed a lo ..."
Abstract

Cited by 215 (7 self)
 Add to MetaCart
(Show Context)
This paper describes a new algorithm for flow and context insensitive pointer analysis of C programs. Our studies show that the most common use of pointers in C programs is in passing the addresses of composite objects or updateable values as arguments to procedures. Therefore, we have designed a lowcost algorithm that handles this common case accurately. In terms of both precision and running time, this algorithm lies between Steensgaard's algorithm, which treats assignments bidirectionally using unification, and Andersen's algorithm, which treats assignments directionally using subtyping. Our "one level flow" algorithm uses a restricted form of subtyping to avoid unification of symbols at the top levels of pointer chains in the pointsto graph, while using unification elsewhere in the graph. The method scales easily to large programs. For instance, we are able to analyze a 1.4 MLOC (million lines of code) program in two minutes, using less than 200MB of memory. At the same time, the pr...
Existential Label Flow Inference via CFL Reachability
 In SAS‘06
, 2005
"... Label flow analysis is a fundamental static analysis problem with a wide variety of applications. Previous work by Mossin developed a polynomial time subtypingbased label flow inference that supports HindleyMilner style polymorphism with polymorphic recursion. Rehof et al have developed an efficie ..."
Abstract

Cited by 15 (4 self)
 Add to MetaCart
(Show Context)
Label flow analysis is a fundamental static analysis problem with a wide variety of applications. Previous work by Mossin developed a polynomial time subtypingbased label flow inference that supports HindleyMilner style polymorphism with polymorphic recursion. Rehof et al have developed an efficient O(n 3) inference algorithm for Mossin’s system based on contextfree language (CFL) reachability. In this paper, we extend these results to a system that also supports existential polymorphism, which is important for precisely describing correlations among members of a structured type, even when values of that type are part of dynamic data structures. We first develop a provably sound checking system based on polymorphicallyconstrained types. As usual, we restrict universal quantification to the top level of a type, but existential quantification is first class, with subtyping allowed between existentials with the same binding structure. We then develop a CFLbased inference system. Programmers specify which positions in a type are existentially quantified, and the algorithm infers the constraints bound in the type, or rejects a program if the annotations are inconsistent. 1
A Usage Analysis With Bounded Usage Polymorphism and Subtyping
 In Proceedings of the 12th International Workshop on Implementation of Functional Languages, number AIB007 in Aachener Informatik Berichte
, 2000
"... Previously proposed usage analyses have proved not to scale up well for large programs. In this paper we present a powerful and accurate type based analysis designed to scale up for large programs. The key features of the type system are usage subtyping and bounded usage polymorphism. Bounded polymo ..."
Abstract

Cited by 14 (3 self)
 Add to MetaCart
(Show Context)
Previously proposed usage analyses have proved not to scale up well for large programs. In this paper we present a powerful and accurate type based analysis designed to scale up for large programs. The key features of the type system are usage subtyping and bounded usage polymorphism. Bounded polymorphism can lead to huge constraint sets and to express constraints compactly we introduce a new expressive form of constraints which allows constraints to be represented compactly through calls to constraint abstractions. 1 Introduction In the implementation of a lazy functional language sharing of evaluation is performed by updating. For example, the (unoptimised) evaluation of (x:x + x) (1 + 2) proceeds as follows. First, a closure for 1 + 2 is built in the heap and a reference to the closure is passed to the abstraction. Second, to evaluate x + x the value of x is required. Thus the closure is fetched from the heap and evaluated. Third, the closure is updated with the result so that w...
Abstract LOCKSMITH: ContextSensitive Correlation
"... One common technique for preventing data races in multithreaded programs is to ensure that all accesses to shared locations are consistently protected by a lock. We present a tool called LOCKSMITH for detecting data races in C programs by looking for violations of this pattern. We call the relation ..."
Abstract
 Add to MetaCart
(Show Context)
One common technique for preventing data races in multithreaded programs is to ensure that all accesses to shared locations are consistently protected by a lock. We present a tool called LOCKSMITH for detecting data races in C programs by looking for violations of this pattern. We call the relationship between locks and the locations they protect consistent correlation, and the core of our technique is a novel constraintbased analysis that infers consistent correlation contextsensitively, using the results to check that locations are properly guarded by locks. We present the core of our algorithm for a simple formal language λ ⊲ which we have proven sound, and discuss how we scale it up to an algorithm that aims to be sound for all of C. We develop several techniques to improve the precision and performance of the analysis, including a sharing analysis for inferring thread locality; existential quantification for modeling locks in data structures; and heuristics for modeling unsafe features of C such as type casts. When applied to several benchmarks, including multithreaded servers and Linux device drivers, LOCKSMITH found several races while producing a modest number of false alarms.
Abstract TypeBased Flow Analysis:
"... We present a novel approach to scalable implementation of typebased flow analysis with polymorphic subtyping. Using a new presentation of polymorphic subtyping with instantiation constraints, we are able to apply contextfree language (CFL) reachability techniques to typebased flow analysis. We de ..."
Abstract
 Add to MetaCart
We present a novel approach to scalable implementation of typebased flow analysis with polymorphic subtyping. Using a new presentation of polymorphic subtyping with instantiation constraints, we are able to apply contextfree language (CFL) reachability techniques to typebased flow analysis. We develop a CFLbased algorithm for computing flow information in time O(n3), where n is the size of the typed program. The algorithm substantially improves upon the best previously known algorithm for flow analysis based on 8 polymorphic subtyping with complexity O(n). Our technique also yields the first demanddriven algorithm for polymorphic subtypebased flowcomputation. It works directly on higherorder programs with structured data of finite type (unbounded data structures are incorporated via finite approximations), supports contextsensitive, global flow summarization and includes polymorphic recursion.