Defensive Points-To Analysis: Effective Soundness via Laziness
We present a defensive may-point-to analysis approach, which offers soundness even in the presence of arbitrary opaque code: all non-empty points-to sets computed are guaranteed to be over-approximations of the sets of values arising at run time. A key design tenet of the analysis is laziness: the analysis computes points-to relationships only for variables or objects that are guaranteed to never escape into opaque code. This means that the analysis misses some valid inferences, yet it also never wastes work to compute sets of values that are not “complete”, i.e., that may be missing elements due to opaque code. Laziness enables great efficiency, allowing us to perform a highly precise points-to analysis (such as a 5-call-site-sensitive, flow-sensitive analysis).
Despite its conservative nature, our analysis yields sound, actionable results for a large subset of the program code, achieving (under worst-case assumptions) 34-74% of the program coverage of an unsound state-of-the-art analysis for real-world programs.
Sat 21 Jul
|11:00 - 11:25|
|11:25 - 11:50|
|11:50 - 12:15|
Ana MilanovaRensselaer Polytechnic InstituteDOI
|12:15 - 12:40|
Neville GrechUniversity of Athens, George KastrinisUniversity of Athens, Yannis SmaragdakisUniversity of AthensDOI