Many current program analyses require highly precise pointerinformation about small, tar- geted parts of a given program. Thismotivates the need for demand-driven pointer analyses that computeinformation only where required. Pointer analyses generally computepoints-to sets of program variables or answer boolean aliasqueries. However, many client analyses require richer pointerinformation. For example, taint and typestate analyses often need toknow the set of all aliases of a given variable under a certaincalling context. With most current pointer analyses, clients mustcompute such information through repeated points-to or alias queries, increasing complexity and computation time for them.This paper presents Boomerang, a demand-driven, flow-, field-, andcontext-sensitive pointer analysis for Java programs. Boomerangcomputes rich results that include both the possible allocation sites of a given pointer (points-to information) and all pointers that can point to those allocation sites (alias information). For increased precision and scalability, clients can query Boomerang with respect to particular calling contexts of interest.Our experiments show that Boomerang is more precise than existingdemand-driven pointer analyses. Additionally, using Boomerang, thetaint analysis FlowDroid issues up to 29.4x fewer pointer queriescompared to using other pointer analyses that return simpler pointerinfor- mation. Furthermore, the search space of Boomerang can besignificantly reduced by requesting calling contexts from the clientanalysis.
展开▼
