An Opinionated Overview on Static Analysis for Java

Whole-program points-to analysis has many diverse usages, for example, call graph construction, security analysis, auto-parallelization, bug analysis, heap allocation analysis, and program debugging and understanding. As a result, many different flavors of analysis have been proposed: an analysis can be sound or unsound; context insensitive or context sensitive; flow sensitive; path sensitive; memory sensitive. We start with an overview of academic research that explains all the terms. Then we make the claim that static analysis for Java is actually much harder than it looks at the first: Reflection, JNI, Unsafe memory access, method handles, VarHandle, bootstrap methods, ... are all concepts in Java that are overlooked in many of the academic research papers. While that is acceptable for some use cases of static analysis, most real-world use cases cannot ignore it. We show how all of these dynamic features can be handled without sacrificing the precision of the analysis in the static analysis framework that we developed as part of GraalVM Native Image. The presentation will be quite example-driven: we will illustrate where a points-to analysis can successfully prove important whole-program properties that are useful for optimizations and security analysis. But we will also show examples where a points-to analysis fails to prove facts that look trivial for humans. Resources • In Defense of Soundiness: A Manifesto ➤ • Scalable Pointer Analysis of Data Structures Using Semantic Models ➤ • Context Sensitivity without Contexts: A Cut-Shortcut Approach to Fast and Precise Pointer Analysis ➤ • GraalVM ➤ • Inside Java ➤ • ➤ • JVMLS ➤