Yulei Sui
Jingling Xue
ABSTRACT
This paper presents SVF, a tool that enables scalable and precise interprocedural Static Value-Flow analysis for C programs by leveraging recent advances in sparse analysis. SVF, which is fully implemented in LLVM, allows value-flow construction and pointer analysis to be performed in an iterative manner, thereby providing increasingly improved precision for both. SVF accepts points- to information generated by any pointer analysis (e.g., Andersen’s analysis) and constructs an interprocedural memory SSA form, in which the def-use chains of both top-level and address-taken variables are captured. Such value-flows can be subsequently exploited to support various forms of program analysis or enable more precise pointer analysis (e.g., flow-sensitive analysis) to be performed sparsely. By dividing a pointer analysis into three loosely coupled components: Graph, Rules and Solver, SVF provides an extensible interface for users to write their own solutions easily. SVF is publicly available at http://unsw-corg.github.io/SVF.
- P. Anderson and T. Teitelbaum. Software inspection using codesurfer. In Workshop on Inspection in Software Engineering (WISE ’01), 2001.Google Scholar
- J. R. Andrew Trick. FTL WebKit’s LLVM based JIT. In LLVM Developer Meeting 2014, 2014.Google Scholar
- S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. PLDI ’14, 49(6):259–269, June 2014. Google ScholarDigital Library
- F. Chow, S. Chan, S. Liu, R. Lo, and M. Streich. Effective representation of aliases and indirect memory operations in SSA form. In CC ’96, pages 253–267. Google ScholarDigital Library
- N. K. Cristina Cifuentes Oracle Labs Australia, Oracle. Translating Java into LLVM IR to detect security vulnerabilities. In LLVM Developer Meeting 2014, 2014.Google Scholar
- R. Cytron, J. Ferrante, B. K. Rosen, M. N. Wegman, and F. K. Zadeck. An efficient method of computing static single assignment form. In POPL ’89, pages 25–35. Google ScholarDigital Library
- P. Di and Y. Sui. Accelerating dynamic data race detection using static thread interference analysis. In PMAM ’16, 2016. Google ScholarDigital Library
- J. Ferrante, K. J. Ottenstein, and J. D. Warren. The program dependence graph and its use in optimization. TOPLAS ’87, 9(3):319–349, July 1987. Google ScholarDigital Library
- B. Hardekopf and C. Lin. Flow-sensitive pointer analysis for millions of lines of code. In CGO ’11, pages 289–298. Google ScholarDigital Library
- S. Horwitz, T. Reps, and D. Binkley. Interprocedural slicing using dependence graphs. In PLDI ’88, pages 35–46, 1988. Google ScholarDigital Library
- IBM. T.j. watson libraries for analysis (WALA).Google Scholar
- P. Lam, E. Bodden, O. Lhoták, and L. Hendren. The Soot framework for Java program analysis: a retrospective. In in CETUS ’11, 2011.Google Scholar
- C. Lattner and V. Adve. LLVM: A compilation framework for lifelong program analysis & transformation. In CGO ’’04, pages 75–86, 2014. Google ScholarDigital Library
- O. Lhoták and K.-C. A. Chung. Points-to analysis with efficient strong updates. In POPL ’11, pages 3–16.Google Scholar
- V. B. Livshits and M. S. Lam. Tracking pointers with path and context sensitivity for bug detection in C programs. In FSE ’03, pages 317– 326. Google ScholarDigital Library
- D. Novillo and R. H. Canada. Memory SSA-a unified approach for sparsely representing memory operations. In Proc of the GCC Developers’ Summit. Citeseer, 2007.Google Scholar
- H. Oh, K. Heo, W. Lee, W. Lee, and K. Yi. Design and implementation of sparse global analyses for C-like languages. In PLDI ’12, pages 229–238. Google ScholarDigital Library
- F. Pereira and D. Berlin. Wave propagation and deep propagation for pointer analysis. In CGO ’09, pages 126–135. Google ScholarDigital Library
- T. Reps, S. Horwitz, and M. Sagiv. Precise interprocedural dataflow analysis via graph reachability. In POPL ’95, pages 49–61, 1995. Google ScholarDigital Library
- Y. Sui, P. Di, and J. Xue. Sparse flow-sensitive pointer analysis for multithreaded programs. In CGO ’16, 2016. Google ScholarDigital Library
- Y. Sui, D. Ye, and J. Xue. Static memory leak detection using fullsparse value-flow analysis. In ISSTA ’12, pages 254–264. Google ScholarDigital Library
- Y. Sui, D. Ye, and J. Xue. Detecting memory leaks statically with full-sparse value-flow analysis. IEEE Transactions on Software Engineering, 40(2):107–122, 2014. Google ScholarDigital Library
- Y. Sui, S. Ye, J. Xue, and P. Yew. SPAS: Scalable path-sensitive pointer analysis on full-sparse SSA. In APLAS ’11, pages 155–171. Google ScholarDigital Library
- M. Weiser. Programmers use slices when debugging. Commun. ACM, 25(7):446–452, July 1982. Google ScholarDigital Library
- D. Ye, Y. Sui, and J. Xue. Accelerating dynamic detection of uses of undefined variables with static value-flow analysis. In CGO ’14, pages 154–164. Google ScholarDigital Library
- S. Ye, Y. Sui, and J. Xue. Region-based selective flow-sensitive pointer analysis. In SAS ’14, pages 319–336. Springer, 2014.Google Scholar
Index Terms
- SVF: interprocedural static value-flow analysis in LLVM
Recommendations
Interprocedural Pointer Analysis in Goanna
Goanna is an industrial-strength static analysis tool used in academia and industry alike to find bugs in C/C++ programs. Unlike existing approaches, Goanna uses the off-the-shelf model checker NuSMV as its core analysis engine on a syntactic flow-...
Semi-sparse flow-sensitive pointer analysis
POPL '09Pointer analysis is a prerequisite for many program analyses, and the effectiveness of these analyses depends on the precision of the pointer information they receive. Two major axes of pointer analysis precision are flow-sensitivity and context-...
Precise flow-insensitive may-alias analysis is NP-hard
Determining aliases is one of the foundamental static analysis problems, in part because the precision with which this problem is solved can affect the precision of other analyses such as live variables, available expressions, and constant propagation. ...
Comments