Boomerang: Demand-driven flow- and context-sensitive pointer analysis for Java

Johannes Späth; Lisa Nguyen Quang Do; Karim Ali; Eric Bodden

doi:10.4230/LIPIcs.ECOOP.2016.22

Boomerang: Demand-driven flow- and context-sensitive pointer analysis for Java

Johannes Späth, Lisa Nguyen Quang Do, Karim Ali, Eric Bodden

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Many current program analyses require highly precise pointer information about small, targeted parts of a given program. This motivates the need for demand-driven pointer analyses that compute information only where required. Pointer analyses generally compute points-to sets of program variables or answer boolean alias queries. However, many client analyses require richer pointer information. For example, taint and typestate analyses often need to know the set of all aliases of a given variable under a certain calling context. With most current pointer analyses clients must compute such information through repeated points-to or alias queries, increasing complexity and computation time for them. This paper presents Boomerang, a demand-driven, flow-, field-, and context-sensitive pointer analysis for Java programs. Boomerang computes rich results that include both the possible allocation sites of a given pointer (points-to information) and all pointers that can point to those allocation sites (alias information). For increased precision and scalability, clients can query Boomerang with respect to particular calling contexts of interest. Our experiments show that Boomerang is more precise than existing demand-driven pointer analyses. Additionally, using Boomerang, the taint analysis Flow Droid issues up to 29.4x fewer pointer queries compared to using other pointer analyses that return simpler pointer information. Furthermore, the search space of Boomerang can be significantly reduced by requesting calling contexts from the client analysis.

Original language	English (US)
Title of host publication	30th European Conference on Object-Oriented Programming, ECOOP 2016
Editors	Benjamin S. Lerner, Shriram Krishnamurthi
Publisher	Schloss Dagstuhl- Leibniz-Zentrum fur Informatik GmbH, Dagstuhl Publishing
Pages	221-2226
Number of pages	2006
ISBN (Electronic)	9783959770149
DOIs	https://doi.org/10.4230/LIPIcs.ECOOP.2016.22
State	Published - Jul 1 2016
Event	30th European Conference on Object-Oriented Programming, ECOOP 2016 - Rome, Italy Duration: Jul 18 2016 → Jul 22 2016

Publication series

Name	Leibniz International Proceedings in Informatics, LIPIcs
Volume	56
ISSN (Print)	1868-8969

Conference

Conference	30th European Conference on Object-Oriented Programming, ECOOP 2016
Country/Territory	Italy
City	Rome
Period	7/18/16 → 7/22/16

Keywords

Aliasing
Demand-driven
IFDS
Points-to analysis
Static analysis

ASJC Scopus subject areas

Software

Access to Document

10.4230/LIPIcs.ECOOP.2016.22

Cite this

Späth, J., Quang Do, L. N., Ali, K., & Bodden, E. (2016). Boomerang: Demand-driven flow- and context-sensitive pointer analysis for Java. In B. S. Lerner, & S. Krishnamurthi (Eds.), 30th European Conference on Object-Oriented Programming, ECOOP 2016 (pp. 221-2226). (Leibniz International Proceedings in Informatics, LIPIcs; Vol. 56). Schloss Dagstuhl- Leibniz-Zentrum fur Informatik GmbH, Dagstuhl Publishing. https://doi.org/10.4230/LIPIcs.ECOOP.2016.22

Boomerang: Demand-driven flow- and context-sensitive pointer analysis for Java. / Späth, Johannes; Quang Do, Lisa Nguyen; Ali, Karim et al.
30th European Conference on Object-Oriented Programming, ECOOP 2016. ed. / Benjamin S. Lerner; Shriram Krishnamurthi. Schloss Dagstuhl- Leibniz-Zentrum fur Informatik GmbH, Dagstuhl Publishing, 2016. p. 221-2226 (Leibniz International Proceedings in Informatics, LIPIcs; Vol. 56).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Späth, J, Quang Do, LN, Ali, K & Bodden, E 2016, Boomerang: Demand-driven flow- and context-sensitive pointer analysis for Java. in BS Lerner & S Krishnamurthi (eds), 30th European Conference on Object-Oriented Programming, ECOOP 2016. Leibniz International Proceedings in Informatics, LIPIcs, vol. 56, Schloss Dagstuhl- Leibniz-Zentrum fur Informatik GmbH, Dagstuhl Publishing, pp. 221-2226, 30th European Conference on Object-Oriented Programming, ECOOP 2016, Rome, Italy, 7/18/16. https://doi.org/10.4230/LIPIcs.ECOOP.2016.22

Späth J, Quang Do LN, Ali K, Bodden E. Boomerang: Demand-driven flow- and context-sensitive pointer analysis for Java. In Lerner BS, Krishnamurthi S, editors, 30th European Conference on Object-Oriented Programming, ECOOP 2016. Schloss Dagstuhl- Leibniz-Zentrum fur Informatik GmbH, Dagstuhl Publishing. 2016. p. 221-2226. (Leibniz International Proceedings in Informatics, LIPIcs). doi: 10.4230/LIPIcs.ECOOP.2016.22

Späth, Johannes ; Quang Do, Lisa Nguyen ; Ali, Karim et al. / Boomerang : Demand-driven flow- and context-sensitive pointer analysis for Java. 30th European Conference on Object-Oriented Programming, ECOOP 2016. editor / Benjamin S. Lerner ; Shriram Krishnamurthi. Schloss Dagstuhl- Leibniz-Zentrum fur Informatik GmbH, Dagstuhl Publishing, 2016. pp. 221-2226 (Leibniz International Proceedings in Informatics, LIPIcs).

@inproceedings{129b459a80344e8abd999f32fc43defa,

title = "Boomerang: Demand-driven flow- and context-sensitive pointer analysis for Java",

abstract = "Many current program analyses require highly precise pointer information about small, targeted parts of a given program. This motivates the need for demand-driven pointer analyses that compute information only where required. Pointer analyses generally compute points-to sets of program variables or answer boolean alias queries. However, many client analyses require richer pointer information. For example, taint and typestate analyses often need to know the set of all aliases of a given variable under a certain calling context. With most current pointer analyses clients must compute such information through repeated points-to or alias queries, increasing complexity and computation time for them. This paper presents Boomerang, a demand-driven, flow-, field-, and context-sensitive pointer analysis for Java programs. Boomerang computes rich results that include both the possible allocation sites of a given pointer (points-to information) and all pointers that can point to those allocation sites (alias information). For increased precision and scalability, clients can query Boomerang with respect to particular calling contexts of interest. Our experiments show that Boomerang is more precise than existing demand-driven pointer analyses. Additionally, using Boomerang, the taint analysis Flow Droid issues up to 29.4x fewer pointer queries compared to using other pointer analyses that return simpler pointer information. Furthermore, the search space of Boomerang can be significantly reduced by requesting calling contexts from the client analysis.",

keywords = "Aliasing, Demand-driven, IFDS, Points-to analysis, Static analysis",

author = "Johannes Sp{\"a}th and {Quang Do}, {Lisa Nguyen} and Karim Ali and Eric Bodden",

note = "Publisher Copyright: {\textcopyright} J. Spadie;th, L. Nguyen Quang Do, K. Ali, and E. Bodden; licensed under Creative Commons License CC-BY.; 30th European Conference on Object-Oriented Programming, ECOOP 2016 ; Conference date: 18-07-2016 Through 22-07-2016",

year = "2016",

month = jul,

day = "1",

doi = "10.4230/LIPIcs.ECOOP.2016.22",

language = "English (US)",

series = "Leibniz International Proceedings in Informatics, LIPIcs",

publisher = "Schloss Dagstuhl- Leibniz-Zentrum fur Informatik GmbH, Dagstuhl Publishing",

pages = "221--2226",

editor = "Lerner, {Benjamin S.} and Shriram Krishnamurthi",

booktitle = "30th European Conference on Object-Oriented Programming, ECOOP 2016",

}

TY - GEN

T1 - Boomerang

T2 - 30th European Conference on Object-Oriented Programming, ECOOP 2016

AU - Späth, Johannes

AU - Quang Do, Lisa Nguyen

AU - Ali, Karim

AU - Bodden, Eric

N1 - Publisher Copyright: © J. Spadie;th, L. Nguyen Quang Do, K. Ali, and E. Bodden; licensed under Creative Commons License CC-BY.

PY - 2016/7/1

Y1 - 2016/7/1

N2 - Many current program analyses require highly precise pointer information about small, targeted parts of a given program. This motivates the need for demand-driven pointer analyses that compute information only where required. Pointer analyses generally compute points-to sets of program variables or answer boolean alias queries. However, many client analyses require richer pointer information. For example, taint and typestate analyses often need to know the set of all aliases of a given variable under a certain calling context. With most current pointer analyses clients must compute such information through repeated points-to or alias queries, increasing complexity and computation time for them. This paper presents Boomerang, a demand-driven, flow-, field-, and context-sensitive pointer analysis for Java programs. Boomerang computes rich results that include both the possible allocation sites of a given pointer (points-to information) and all pointers that can point to those allocation sites (alias information). For increased precision and scalability, clients can query Boomerang with respect to particular calling contexts of interest. Our experiments show that Boomerang is more precise than existing demand-driven pointer analyses. Additionally, using Boomerang, the taint analysis Flow Droid issues up to 29.4x fewer pointer queries compared to using other pointer analyses that return simpler pointer information. Furthermore, the search space of Boomerang can be significantly reduced by requesting calling contexts from the client analysis.

AB - Many current program analyses require highly precise pointer information about small, targeted parts of a given program. This motivates the need for demand-driven pointer analyses that compute information only where required. Pointer analyses generally compute points-to sets of program variables or answer boolean alias queries. However, many client analyses require richer pointer information. For example, taint and typestate analyses often need to know the set of all aliases of a given variable under a certain calling context. With most current pointer analyses clients must compute such information through repeated points-to or alias queries, increasing complexity and computation time for them. This paper presents Boomerang, a demand-driven, flow-, field-, and context-sensitive pointer analysis for Java programs. Boomerang computes rich results that include both the possible allocation sites of a given pointer (points-to information) and all pointers that can point to those allocation sites (alias information). For increased precision and scalability, clients can query Boomerang with respect to particular calling contexts of interest. Our experiments show that Boomerang is more precise than existing demand-driven pointer analyses. Additionally, using Boomerang, the taint analysis Flow Droid issues up to 29.4x fewer pointer queries compared to using other pointer analyses that return simpler pointer information. Furthermore, the search space of Boomerang can be significantly reduced by requesting calling contexts from the client analysis.

KW - Aliasing

KW - Demand-driven

KW - IFDS

KW - Points-to analysis

KW - Static analysis

UR - http://www.scopus.com/inward/record.url?scp=84982822149&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84982822149&partnerID=8YFLogxK

U2 - 10.4230/LIPIcs.ECOOP.2016.22

DO - 10.4230/LIPIcs.ECOOP.2016.22

M3 - Conference contribution

AN - SCOPUS:84982822149

T3 - Leibniz International Proceedings in Informatics, LIPIcs

SP - 221

EP - 2226

BT - 30th European Conference on Object-Oriented Programming, ECOOP 2016

A2 - Lerner, Benjamin S.

A2 - Krishnamurthi, Shriram

PB - Schloss Dagstuhl- Leibniz-Zentrum fur Informatik GmbH, Dagstuhl Publishing

Y2 - 18 July 2016 through 22 July 2016

ER -

Boomerang: Demand-driven flow- and context-sensitive pointer analysis for Java

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this