Skip to main content
SpringerLink
Log in

Precise Null Pointer Analysis Through Global Value Numbering

  • Conference paper
  • First Online:
Automated Technology for Verification and Analysis (ATVA 2017)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 10482))

Abstract

Precise analysis of pointer information plays an important role in many static analysis tools. The precision, however, must be balanced against the scalability of the analysis. This paper focusses on improving the precision of standard context and flow insensitive alias analysis algorithms at a low scalability cost. In particular, we present a semantics-preserving program transformation that drastically improves the precision of existing analyses when deciding if a pointer can alias Null. Our program transformation is based on Global Value Numbering, a scheme inspired from compiler optimization literature. It allows even a flow-insensitive analysis to make use of branch conditions such as checking if a pointer is Null and gain precision. We perform experiments on real-world code and show that the transformation improves precision (in terms of the number of dereferences proved safe) from 86.56% to 98.05%, while incurring a small overhead in the running time.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://msdn.microsoft.com/en-us/library/windows/hardware/mt779102(v=vs.85).aspx.

  2. 2.

    https://www.microsoft.com/en-us/research/project/angelic-verification/.

  3. 3.

    At https://github.com/boogie-org/corral, project AddOns \(\backslash \) AliasAnalysis.

References

  1. Andersen, L.O.: Program analysis and specialization for the C programming language. Ph.D. thesis, DIKU, University of Copenhagen, May 1994

    Google Scholar 

  2. Barnett, M., Qadeer, S.: BCT: A translator from MSIL to Boogie. In: Seventh Workshop on Bytecode Semantics, Verification, Analysis and Transformation (2012)

    Google Scholar 

  3. Choi, J.D., Burke, M., Carini, P.: Efficient flow-sensitive interprocedural computation of pointer-induced aliases and side effects. In: Principles of Programming Languages, pp. 232–245 (1993)

    Google Scholar 

  4. Cocke, J.: Global common subexpression elimination. In: Proceedings of a Symposium on Compiler Optimization, pp. 20–24. ACM, New York (1970)

    Google Scholar 

  5. Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Zadeck, F.K.: Efficiently computing static single assignment form and the control dependence graph. ACM Trans. Program. Lang. Syst. 13(4), 451–490 (1991)

    Article  Google Scholar 

  6. Das, A., Lahiri, S.K., Lal, A., Li, Y.: Angelic verification: precise verification modulo unknowns. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 324–342. Springer, Cham (2015). doi:10.1007/978-3-319-21690-4_19

    Chapter  Google Scholar 

  7. Das, A., Lal, A.: Precise null pointer analysis through global value numbering. CoRR abs/1702.05807 (2017). http://arxiv.org/abs/1702.05807

  8. De, A., D’Souza, D.: Scalable flow-sensitive pointer analysis for java with strong updates. In: Noble, J. (ed.) ECOOP 2012. LNCS, vol. 7313, pp. 665–687. Springer, Heidelberg (2012). doi:10.1007/978-3-642-31057-7_29

    Chapter  Google Scholar 

  9. Fink, S.J., Yahav, E., Dor, N., Ramalingam, G., Geay, E.: Effective typestate verification in the presence of aliasing. ACM Trans. Softw. Eng. Methodol. 17(2), 9:1–9:34 (2008)

    Article  Google Scholar 

  10. Gulwani, S., Necula, G.C.: Global value numbering using random interpretation. In: Principles of Programming Languages, POPL, pp. 342–352 (2004)

    Google Scholar 

  11. Hardekopf, B., Lin, C.: Flow-sensitive pointer analysis for millions of lines of code. In: Code Generation and Optimization (CGO), pp. 289–298 (2011)

    Google Scholar 

  12. Hasti, R., Horwitz, S.: Using static single assignment form to improve flow-insensitive pointer analysis. In: Programming Language Design and Implementation (PLDI), pp. 97–105 (1998)

    Google Scholar 

  13. Heintze, N., Tardieu, O.: Demand-driven pointer analysis. In: Programming Language Design and Implementation (PLDI), pp. 24–34 (2001)

    Google Scholar 

  14. Horwitz, S.: Precise flow-insensitive may-alias analysis is NP-Hard. ACM Trans. Program. Lang. Syst. 19(1), 1–6 (1997)

    Article  Google Scholar 

  15. Jones, N.D., Muchnick, S.S.: A flexible approach to interprocedural data flow analysis and programs with recursive data structures. In: Principles of Programming Languages (POPL), pp. 66–74 (1982)

    Google Scholar 

  16. Kildall, G.A.: A unified approach to global program optimization. In: Principles of Programming Languages, pp. 194–206 (1973)

    Google Scholar 

  17. Lal, A., Qadeer, S.: Powering the static driver verifier using corral. In: Foundations of Software Engineering, pp. 202–212 (2014)

    Google Scholar 

  18. Landi, W., Ryder, B.G.: A safe approximate algorithm for interprocedural pointer aliasing. SIGPLAN Not. 39(4), 473–489 (2004)

    Article  Google Scholar 

  19. Leino, K.R.M.: This is boogie 2 (2008). https://github.com/boogie-org/boogie

  20. Lerch, J., Spth, J., Bodden, E., Mezini, M.: Access-path abstraction: scaling field-sensitive data-flow analysis with unbounded access paths (t). In: Automated Software Engineering (ASE), pp. 619–629 (2015)

    Google Scholar 

  21. Lhoták, O., Hendren, L.: Evaluating the benefits of context-sensitive points-to analysis using a bdd-based implementation. ACM Trans. Softw. Eng. Methodol. (TOSEM) 18(1), 3 (2008)

    Article  Google Scholar 

  22. Microsoft: Static driver verifier. http://msdn.microsoft.com/en-us/library/windows/hardware/ff552808(v=vs.85).aspx

  23. Rakamarić, Z., Emmi, M.: SMACK: decoupling source language details from verifier implementations. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 106–113. Springer, Cham (2014). doi:10.1007/978-3-319-08867-9_7

    Google Scholar 

  24. Ramalingam, G.: The undecidability of aliasing. ACM Trans. Program. Lang. Syst. 16(5), 1467–1471 (1994)

    Article  Google Scholar 

  25. Sharir, M., Pnueli, A.: Two approaches to interprocedural data flow analysis, pp. 189–234. Prentice-Hall, Englewood Cliffs, NJ (1981). Chap. 7

    Google Scholar 

  26. Sridharan, M., Chandra, S., Dolby, J., Fink, S.J., Yahav, E.: Alias analysis for object-oriented programs. In: Clarke, D., Noble, J., Wrigstad, T. (eds.) Aliasing in Object-Oriented Programming. Types, Analysis and Verification. LNCS, vol. 7850, pp. 196–232. Springer, Heidelberg (2013). doi:10.1007/978-3-642-36946-9_8

    Chapter  Google Scholar 

  27. Steensgaard, B.: Points-to analysis in almost linear time. In: Principles of Programming Languages (POPL), pp. 32–41. ACM, New York (1996)

    Google Scholar 

  28. Whaley, J., Lam, M.S.: An efficient inclusion-based points-to analysis for strictly-typed languages. In: Static Analysis Symposium, pp. 180–195 (2002)

    Google Scholar 

  29. Zheng, X., Rugina, R.: Demand-driven alias analysis for c. In: Proceedings of the 35th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2008, pp. 197–208. ACM, New York (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Carnegie Mellon University, Pittsburgh, PA, USA

    Ankush Das

  2. Microsoft Research, Bangalore, India

    Akash Lal

Authors
  1. Ankush Das
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Akash Lal
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ankush Das .

Editor information

Editors and Affiliations

  1. Indian Institute of Science, Bangalore, India

    Deepak D'Souza

  2. Chennai Mathematical Institute, Kelambakkam, India

    K. Narayan Kumar

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Das, A., Lal, A. (2017). Precise Null Pointer Analysis Through Global Value Numbering. In: D'Souza, D., Narayan Kumar, K. (eds) Automated Technology for Verification and Analysis. ATVA 2017. Lecture Notes in Computer Science(), vol 10482. Springer, Cham. https://doi.org/10.1007/978-3-319-68167-2_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-68167-2_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-68166-5

  • Online ISBN: 978-3-319-68167-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation