Question

Question 1: Pointer analysis reasons about memory locations and allocation sites. It is often used as a support analysis for client analyses such as call graph construction algorithms or taint analyses. The two main types of pointer analysis are points-to and alias analyses. Points-to analyses return points-to sets: possible allocation sites that a given access path at a given statement may point to. On the other hand, alias analyses determine whether two access paths at a particular statement may point to the same memory location. Given the Java program below, answer the following questions (Note that Line x refers to the point in the program following the execution of the statement at line x): 1: A a = new B(); 2: B p = new B(); 3: A b = new A(); 4: A q = new A(); 5: 6: if (Math.random() < 0.5) { 7: x = a; 8: y = b; 9: 10: } else { 11: x = p; 12: y = q; 13: } 14: 15: x.attr = y; 16: 17: q.b = getSecret(); Use the following access paths: a, b, p, q, x, y, a.attr, p.attr, x.attr, b.b, q.b, y.b, a.attr.b, p.attr.b, x.attr.b. Some parts of the question are on the next page. a. (10 points) What are the points-to sets of variables x and y at Line 12? (denote allocation sites using the form Line 1: new X) b. (10 points) What are the points-to sets of variables x and y at Line 17? c. (5 points) Which access paths may-alias with q.b at Line 17? d. (5 points) Do any access paths must-alias in the program? If yes, which ones? e. (4 points) Can a points-to analysis alone answer an alias query? Is it possible to obtain points-to sets by using only an alias analysis? Justify your answers. f. (4 points) Assume a taint analysis scanning the Java program above, with getSecret ( being a source of taint. Which access paths should be tainted at Line 17? g. (4 points) How would the taint analysis achieve this with a minimal overhead, assuming it can use a points-to analysis as a black box? h. (4 points) What if the taint analysis uses an alias analysis instead? i. (4 points) List and briefly describe some applications of the two pointer analyses (points-to and alias). For each application, explain which analysis to use and justify your answer.

          Question 1:
Pointer analysis reasons about memory locations and allocation sites. It is often used
as a support analysis for client analyses such as call graph construction algorithms or
taint analyses. The two main types of pointer analysis are points-to and alias analyses.
Points-to analyses return points-to sets: possible allocation sites that a given access path
at a given statement may point to. On the other hand, alias analyses determine whether
two access paths at a particular statement may point to the same memory location.
Given the Java program below, answer the following questions (Note that Line x refers
to the point in the program following the execution of the statement at line x):
1: A a = new B();
2: B p = new B();
3: A b = new A();
4: A q = new A();
5:
6: if (Math.random() < 0.5) {
7: x = a;
8: y = b;
9:
10: } else {
11: x = p;
12: y = q;
13: }
14:
15: x.attr = y;
16:
17: q.b = getSecret();
Use the following access paths: a, b, p, q, x, y, a.attr, p.attr, x.attr, b.b,
q.b, y.b, a.attr.b, p.attr.b, x.attr.b. Some parts of the question are on the
next page.
a. (10 points) What are the points-to sets of variables x and y at Line 12? (denote
allocation sites using the form Line 1: new X)
b. (10 points) What are the points-to sets of variables x and y at Line 17?
c. (5 points) Which access paths may-alias with q.b at Line 17?
d. (5 points) Do any access paths must-alias in the program? If yes, which ones?
e. (4 points) Can a points-to analysis alone answer an alias query? Is it possible to
obtain points-to sets by using only an alias analysis? Justify your answers.
f. (4 points) Assume a taint analysis scanning the Java program above, with getSecret (
being a source of taint. Which access paths should be tainted at Line 17?
g. (4 points) How would the taint analysis achieve this with a minimal overhead,
assuming it can use a points-to analysis as a black box?
h. (4 points) What if the taint analysis uses an alias analysis instead?
i. (4 points) List and briefly describe some applications of the two pointer analyses
(points-to and alias). For each application, explain which analysis to use and justify
your answer.

question 1 pointer analysis reasons about memory locations and allocation sites it is often used as a support analysis for client analyses such as call graph construction algorithms or taint 43067

Added by Andrea L.

Question

Please give Ace some feedback