Refinement of path expressions for static analysis
Abstract
Algebraic program analyses compute information about a program’s behavior by first (a) computing a valid path expression —i.e., a regular expression that recognizes all feasible execution paths (and usually more)—and then (b) interpreting the path expression in a semantic algebra that defines the analysis. There are an infinite number of different regular expressions that qualify as valid path expressions, which raises the question “ Which one should we choose? ” While any choice yields a sound result, for many analyses the choice can have a drastic effect on the precision of the results obtained. This paper investigates the following two questions: (1) What does it mean for one valid path expression to be “better” than another ? (2) Can we compute a valid path expression that is “better,” and if so, how ? We show that it is not satisfactory to compare two path expressions E 1 and E 2 solely by means of the languages that they generate . Counter to one’s intuition, it is possible for L ( E 2 ) ⊊ L ( E 1 ), yet for E 2 to produce a less-precise analysis result than E 1 —and thus we would not want to perform the transformation E 1 → E 2 . However, the exclusion of paths so as to analyze a smaller language of paths is exactly the refinement criterion used by some prior methods.
Document Details
- Document Type
- Pub Defense Publication
- Publication Date
- Jan 02, 2019
- Source ID
- 10.1145/3290358
Entities
People
- Jason Breck
- John Cyphert
- Thomas Reps
- Zachary Kincaid
Organizations
- Defense Advanced Research Projects Agency
- Office of Naval Research
- Princeton University
- University of Wisconsin–Madison
- Wisconsin Alumni Research Foundation