Showing papers by "Cristina Cifuentes published in 2011"

Boosting the performance of flow-sensitive points-to analysis using value flow

Abstract: Points-to analysis is a fundamental static analysis technique which computes the set of memory objects that a pointer may point to. Many different applications, such as security-related program analyses, bug checking, and analyses of multi-threaded programs, require precise points-to information to be effective. Recent work has focused on improving the precision of points-to analysis through flow-sensitivity and great progress has been made. However, even with all recent progress, flow-sensitive points-to analysis can still be much slower than a flow-insensitive analysis.In this paper, we propose a novel method that simplifies flow-sensitive points-to analysis to a general graph reachability problem in a value flow graph. The value flow graph summarizes dependencies between pointer variables, including those memory dependencies via pointer dereferences. The points-to set for each pointer variable can then be computed as the set of memory objects that can reach it in the graph. We develop an algorithm to build the value flow graph efficiently by examining the pointed-to-by set of a memory object, i.e., the set of pointers that point to an object. The pointed-to-by information of memory objects is very useful for applications such as escape analysis, and information flow analysis.Our approach is intuitive, easy to implement and very efficient. The implementation is around 2000 lines of code and it is more efficient than existing flow-sensitive points-to analyses. The runtime is comparable with the state-of-the-art flow-insensitive points-to analysis.

Context-sensitive analysis framework using value flows

Abstract: In general, in one aspect, the invention relates to a method for identifying program properties in source code. The method includes: identifying a set of program objects corresponding to a potential program property within the source code; identifying a function associated with the set of program objects in the source code; identifying an input and an output of the function in the source code; creating a value flow graph by: creating a function input node representing the input; creating a function output node representing the output; identifying value flow functions, where each value flow function defines a conditional dependency between a pair of graph nodes, and creating, based on the value flow functions, directed graph edges modeling a potential flow of data through the value flow graph; and identifying a feasible path in the value flow graph depicting an occurrence of the potential program property in the source code.

Method and system for performing backward-driven path-sensitive dataflow analysis

Abstract: In general, in one aspect, the invention relates to a method for static analysis. The method includes: obtaining source code; constructing a control flow graph (CFG) corresponding to the source code, by identifying control structures within the source code, creating a set of graph nodes of the CFG, and creating a set of directed graph edges of the CFG connecting the set of graph nodes; assigning a first Boolean flow value to a selected node of the set of graph nodes; backward traversing the CFG from the selected node to a target node; computing, by a computer processor and while backward traversing the CFG, disjoint predicate expressions representing flow values at the set of directed graph edges; computing, based on the disjoint predicate expressions, a resulting disjoint predicate expression; and identifying, based on the resulting disjoint predicate expression, a potential program property in the source code.

Static deep error checking in large system applications using parfait

Abstract: In this paper, we introduce Parfait, a static bug-checking tool for C/C++ applications. Parfait achieves precision and scalability at the same time by employing a layered program analysis framework. In Parfait, different analyses varying in precision and runtime expense can be invoked on demand to detect defects of a specific type, effectively achieving higher precision with smaller runtime overheads. Several production organizations within Oracle have started to integrate Parfait into their development process. Feedback from various production teams suggests that it is precise and scalable: the tool is able to analyze the OpenSolarisTM operating system and network consolidation (ON) with more than 6 million lines of code in 1 hour, and report thousands of defects with a false positive rate of close to 10%.

Points-to analysis as value flow

Abstract: In general, in one aspect, the invention relates to a method for performing points-to analysis by generating a value flow graph for source code. The method steps include: initializing the value flow graph including a set of memory objects and a set of edges based on Base and Assignment instructions, where the set of edges represents inclusion constraints between the set of memory objects and a set of pointer variables; determining a pointed-to-by set including at least one pointer variable of the set of pointer variables; updating the value flow graph by introducing a flow edge based on an indirect reference, where the flow edge is related to a memory object of the set of memory objects that is added to a working list; updating the pointed-to-by set based on the memory object in the working list; and analyzing the source code using the pointed-to-by set.

Points-to analysis using value flow

Abstract: In general, in one aspect, the invention relates to a method for performing points-to analysis by generating a value flow graph for source code. The method steps include: initializing the value flow graph including a set of memory objects and a set of edges based on Base and Assignment instructions, where the set of edges represents inclusion constraints between the set of memory objects and a set of pointer variables; determining a pointed-to-by set including at least one pointer variable of the set of pointer variables; updating the value flow graph by introducing a flow edge based on an indirect reference, where the flow edge is related to a memory object of the set of memory objects that is added to a working list; updating the pointed-to-by set based on the memory object in the working list; and analyzing the source code using the pointed-to-by set.