[Soot-list] VASCO: An Interprocedural Data Flow Analysis Framework using Value Contexts
Rohan Padhye
rohanpadhye at cse.iitb.ac.in
Wed Apr 24 13:38:49 EDT 2013
Hello all,
There seemed to be one or two people who recently asked for data flow
results of an inter-procedural analysis which are parametrized by
contexts. For those who are interested, I would like to share with you
the code of an inter-procedural framework for Soot that we have been
working on that uses value-sensitive contexts.
Source code: https://github.com/rohanpadhye/vasco
API docs: http://rohanpadhye.github.io/vasco/apidocs
Paper (submitted to SOAP '13): http://arxiv.org/pdf/1304.6274v1.pdf
Why did we need to develop a new framework when a nice tool like Heros
exists already? Well, the difficulties we faced were not with Heros but
with the underlying approach of graph-reachability based solutions which
depend on distributive flow functions (IFDS/IDE).
Specifically, we wanted an inter-procedural framework for performing
heap analyses (e.g. points-to analysis, heap reference analysis using
access graphs, various types of shape analysis, etc). Most of these
analyses have non-distributive flow functions and hence cannot be
directly encoded as IFDS/IDE problems.
Also, one of our requirements was that the data flow solution should be
context-sensitive, whereas graph-reachability based methods give a
meet-over-valid-paths solution by default. Handling results differently
for different contexts opens up many new opportunities for optimization
and performing precise secondary analyses that depend on results of a
primary analysis (e.g. heap liveness analysis that requires alias analysis).
Thus, our framework is built around the concept of using data flow
values themselves as contexts, which provides a fully context-sensitive
solution even in the presence of recursion (i.e. no k-limited bounding),
provided the lattice is finite, and has found to be efficient in
practice. The algorithm used is mainly an adaptation of Sharir and
Pnueli's tabulation method of the functional approach as well as Khedker
and Karkare's CC '08 paper on a modified call strings approach.
Although the second requirement may be (partially) addressed in Heros by
tweaking the "domain" of the IFDS/IDE problem, this loses the
intuitiveness and clarity of the data flow problem model, and the
resulting solution complexity also increases as a cubic factor of the
domain extensions.
We've aimed to ensure intuitiveness by designing the classes on the
lines of Soot's intra-procedural data flow framework, which makes it
easy to lift an existing intra-procedural analysis to an
inter-procedural scope.
The source code also includes an implementation of a Flow and Context
Sensitive Pointer Analysis (FCPA) using this framework, which we used
for constructing a context-sensitive call graph, resulting in phenomenal
reductions in inter-procedural paths (call chains) that would directly
affect the precision and efficiency of any inter-procedural analysis,
whether using our framework or otherwise.
Suggestions and comments are welcome.
Regards,
Rohan Padhye
More information about the Soot-list
mailing list