Flow-Sensitive Type-Based Heap Cloning (ECOOP 2020)

Who

Mohamad Barbar, Yulei Sui, Shiping Chen

Track

ECOOP 2020 Research Papers

Time Zone

The program is currently displayed in (GMT-06:00) Central Time (US & Canada).

Use conference time zone: (GMT-06:00) Central Time (US & Canada)Select other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Sun 15 Nov 2020 11:00 - 11:20 at SPLASH-I - S-3 Chair(s): Carl Friedrich Bolz-Tereick, Anitha Gollamudi
Sun 15 Nov 2020 23:00 - 23:20 at SPLASH-I - S-3 Chair(s): Elisa Gonzalez Boix, Atsushi Igarashi

Abstract

Flow-sensitive pointer analysis promises more precise results than its flow-insensitive counterpart by respecting program control-flow. However, existing heap abstractions for C/C++ flow-sensitive pointer analysis model the heap by creating one heap object per memory allocation. Two runtime heap objects which originate from the same allocation site are imprecisely modeled using one abstract object, which makes them share the same imprecise points-to sets and thus reduces the benefit of analysing heap objects flow-sensitively. On the other hand, equipping flow-sensitive analysis with context-sensitivity where an abstract heap object is created (cloned) per calling context can yield a more precise heap modeling for flow-sensitive analysis, but at the cost of uncontrollable analysis overhead when analysing larger programs.

This paper presents TypeClone, a new type-based heap model for flow-sensitive analysis. Our key insight is to differentiate concrete heap objects lazily using the type information at their use sites (e.g., accessed via pointer dereferencing) within the program control-flow. The novelty of TypeClone lies in its lazy heap cloning: an untyped abstract heap object created at an allocation site is killed and replaced with a new (cloned) object uniquely identified by the type information at its use site for flow-sensitive points-to propagation. This yields more precise points-to relations for each program point through well-typed objects where necessary. Thus, heap cloning can be performed within a flow-sensitive analysis without the need for context-sensitivity. Moreover, we extend TypeClone to support new kinds of strong updates for heap objects to filter out imprecise points-to relations at object use sites for programs conforming to the strict aliasing rules based on the standard C/C++ specification. Our method is neither strictly superior nor inferior to context-sensitive heap cloning, but rather, represents a new dimension that achieves a sweet spot between precision and efficiency. Our experimental results also confirm that TypeClone is more precise than flow-sensitive pointer analysis by increasing the percentage of no-alias queries by 12% on average.

Link to Publication

https://drops.dagstuhl.de/opus/frontdoor.php?source_opus=13181

DOI

https://doi.org/10.4230/LIPIcs.ECOOP.2020.24

Mohamad Barbar

University of Technology, Sydney

Yulei Sui

University of Technology Sydney

Shiping Chen

Data61 at CSIRO, Australia / UNSW, Australia

Australia

Media