NJU Static Program Analysis 08: Pointer Analysis I
NJU Static Program Analysis 08: Pointer Analysis I
Abstract
- What is pointer analysis?
- Understand the key factors of pointer analysis
- Understand what we analyze in pointer analysis
Notes
This lecture is tend to give a general introduction to pointer analysis. Point analysis is one of the most fundamental static program analysis that computes which memory locations a pointer can point to, which objects a pointer can point to and an over-approximation of the set of objects that a pointer can point to. While the very first complete research on pointer analysis can date back to 1980, nowadays it is still an active researching area, especially for fundamental information, compiler optimization, bug detection, security analysis and more applications.
There are many kinds of strategy for pointer analysis, each with different precision and efficiency. In the following lectures of the curriculum, we will choose a specific set of techniques for ours.
-
Heap Abstraction
Heap abstraction is strategy that guarantees the pointer analysis could finally end even when handling a real program containing unbounded heap objects due to loops and recursions.
There are many different kinds of heap abstraction techniques. In the curriculum, we will use Allocation Sites Abstraction that model concrete objects by their allocation sites. As a program text is finite, allocation sites in a program will be bounded, which guarantees that the analysis is bond to end in limited time.
-
Context Sensitivity
Context sensitivity is a tech that analysis each method multiple times, once for each context. Researchers have shown that it can dramatically increase the precision of static program analysis for OOPLs such as Java. In this curriculum, we will start from the simple but imprecise context-insensitive analysis, and implement a context-sensitive analysis later.
-
Flow Sensitivity
Flow sensitivity respects the execution order of the statements by maintaining a point-to relations map at each program location. So far, there is no significant evidence showing flow sensitivity techs can dramatically improve the precision of OOPL pointer analysis as that of the C language. Extra maintaining cost considered, we choose to use flow-insensitive tech for our analysis.
-
Analysis Scope
Some demand-driven analysis choose to analysis part of the program based on the requirement. However on some occasions, the "part" can be a so huge that it cannot perform significantly over analysis for the whole program. Let alone it should run many times for each demand. So in our analysis, we will choose to do while-program analysis.
To do pointer analysis, we only need to concern the statements affecting point-to relations. in Java,
there are four kinds of different pointers including Local variable, Static Field, Instance Field and Array Element.
Static field is sometimes called as global variable, which indicates that its handling is similar to that of local variables, which we have attempted before. Instance field is modeled as an object with a field, such as obj.f. For array element, when doing analysis, we will ignore its indexes by abstracting all the elements by a single field, say arr that may point to any value stored in the array - in order to avoid actually running the program to get concrete information. In this way, array element would become a kind of instance field.
We will further study how to handle these kinds of pointers in the following lectures.
there are five kinds of different pointer-affecting statements:
| TYPE | EXAMPLE |
|---|---|
| New | x = new T() |
| Assign | x = y |
| Store | x.f = y |
| Load | y = x.f |
| Call | r = x.k(a, ...) |
For some complex memory-accesses statements like x.f.g.h will be converted ti three-address code in previous analysis procedures.
