Skip to content

Model Object.clone() in PTA for better precision for may-fail-cast #209

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Model Object.clone() in PTA for better precision for may-fail-cast #209

wants to merge 1 commit into from

Conversation

@jjppp
Copy link
Member

@jjppp jjppp commented Nov 4, 2025

Currently, Object.clone() is modeled via DefaultNativeModel, which generates a plain return as the method body. This modeling, though general, is not suitable for pointer analysis, as it requires extra level of context-sensitivity to distinguish incoming and outcoming object flows.

By modeling Object.clone() using the IRModelPlugin, we can obtain better precision for may-fail-cast when analyzing programs context-insensitively.
This is because the return type of clone() the method is java.lang.Object, and its invocations are often invoked and then cast into the correct type to be used later, as in the following example from jdk17.

https://github.com/openjdk/jdk17u/blob/30ef840c3736270330fc0a26849c2456406facfe/src/java.base/share/classes/java/util/IdentityHashMap.java#L704-L713

On five benchmarks (antlr, bloat, jedit-3.0, columba-1.4, and briss-0.9 from java-benchmarks) we achieve an average reduction of 148 casts that may fail when analyzed context-insensitively, with slightly better precision on other analysis metrics.

Diff for master and object-clone-model 
16,18c16,18
< #var pointers:                6,7305 (insens) / 6,7305 (sens)
< #objects:                     5477 (insens) / 5477 (sens)
< #var points-to:               199,8669 (insens) / 199,8669 (sens)
---
> #var pointers:                6,7215 (insens) / 6,7215 (sens)
> #objects:                     5474 (insens) / 5474 (sens)
> #var points-to:               196,5678 (insens) / 196,5678 (sens)
20,23c20,23
< #instance field points-to:    32,5231 (sens)
< #array points-to:             2,4207 (sens)
< #reachable methods:           8667 (insens) / 8667 (sens)
< #call graph edges:            5,9367 (insens) / 5,9367 (sens)
---
> #instance field points-to:    32,3703 (sens)
> #array points-to:             2,2878 (sens)
> #reachable methods:           8653 (insens) / 8653 (sens)
> #call graph edges:            5,9247 (insens) / 5,9247 (sens)
26,27c26,27
< #may-fail-cast: found 1050 in 6924 reachable relevant Stmts
< #may-fail-cast: found 279 in 1861 reachable relevant Stmts (app)
---
> #may-fail-cast: found 978 in 6912 reachable relevant Stmts
> #may-fail-cast: found 274 in 1861 reachable relevant Stmts (app)
29c29
< #poly-call: found 1992 in 32673 reachable relevant Stmts
---
> #poly-call: found 1986 in 32645 reachable relevant Stmts
47,54c47,54
< #var pointers:                6,9254 (insens) / 6,9254 (sens)
< #objects:                     6384 (insens) / 6384 (sens)
< #var points-to:               325,6830 (insens) / 325,6830 (sens)
< #static field points-to:      2046 (sens)
< #instance field points-to:    50,8087 (sens)
< #array points-to:             1,6718 (sens)
< #reachable methods:           9929 (insens) / 9929 (sens)
< #call graph edges:            6,9391 (insens) / 6,9391 (sens)
---
> #var pointers:                6,9164 (insens) / 6,9164 (sens)
> #objects:                     6379 (insens) / 6379 (sens)
> #var points-to:               320,6550 (insens) / 320,6550 (sens)
> #static field points-to:      2036 (sens)
> #instance field points-to:    50,3911 (sens)
> #array points-to:             1,6313 (sens)
> #reachable methods:           9915 (insens) / 9915 (sens)
> #call graph edges:            6,9234 (insens) / 6,9234 (sens)
57,58c57,58
< #may-fail-cast: found 2008 in 6940 reachable relevant Stmts
< #may-fail-cast: found 1233 in 1749 reachable relevant Stmts (app)
---
> #may-fail-cast: found 1941 in 6928 reachable relevant Stmts
> #may-fail-cast: found 1232 in 1749 reachable relevant Stmts (app)
60c60
< #poly-call: found 2258 in 30256 reachable relevant Stmts
---
> #poly-call: found 2252 in 30228 reachable relevant Stmts
78,85c78,85
< #var pointers:                16,2836 (insens) / 16,2836 (sens)
< #objects:                     1,6986 (insens) / 1,6986 (sens)
< #var points-to:               2566,1861 (insens) / 2566,1861 (sens)
< #static field points-to:      1,3671 (sens)
< #instance field points-to:    441,7282 (sens)
< #array points-to:             49,2074 (sens)
< #reachable methods:           2,5136 (insens) / 2,5136 (sens)
< #call graph edges:            15,0300 (insens) / 15,0300 (sens)
---
> #var pointers:                16,2766 (insens) / 16,2766 (sens)
> #objects:                     1,6974 (insens) / 1,6974 (sens)
> #var points-to:               2544,1746 (insens) / 2544,1746 (sens)
> #static field points-to:      1,3663 (sens)
> #instance field points-to:    438,9623 (sens)
> #array points-to:             33,8486 (sens)
> #reachable methods:           2,5125 (insens) / 2,5125 (sens)
> #call graph edges:            14,9998 (insens) / 14,9998 (sens)
88c88
< #may-fail-cast: found 4059 in 18698 reachable relevant Stmts
---
> #may-fail-cast: found 3925 in 18687 reachable relevant Stmts
91c91
< #poly-call: found 6308 in 65992 reachable relevant Stmts
---
> #poly-call: found 6300 in 65972 reachable relevant Stmts
109,116c109,116
< #var pointers:                38,2955 (insens) / 38,2955 (sens)
< #objects:                     5,1344 (insens) / 5,1344 (sens)
< #var points-to:               1,6775,5421 (insens) / 1,6775,5421 (sens)
< #static field points-to:      5,4497 (sens)
< #instance field points-to:    1,1040,5697 (sens)
< #array points-to:             282,9296 (sens)
< #reachable methods:           5,6600 (insens) / 5,6600 (sens)
< #call graph edges:            42,6015 (insens) / 42,6015 (sens)
---
> #var pointers:                38,2948 (insens) / 38,2948 (sens)
> #objects:                     5,1312 (insens) / 5,1312 (sens)
> #var points-to:               1,6619,9779 (insens) / 1,6619,9779 (sens)
> #static field points-to:      5,4438 (sens)
> #instance field points-to:    1,0991,6491 (sens)
> #array points-to:             243,0662 (sens)
> #reachable methods:           5,6599 (insens) / 5,6599 (sens)
> #call graph edges:            42,5566 (insens) / 42,5566 (sens)
119,120c119,120
< #may-fail-cast: found 10417 in 35717 reachable relevant Stmts
< #may-fail-cast: found 4386 in 9893 reachable relevant Stmts (app)
---
> #may-fail-cast: found 10209 in 35717 reachable relevant Stmts
> #may-fail-cast: found 4354 in 9893 reachable relevant Stmts (app)
122c122
< #poly-call: found 17623 in 167633 reachable relevant Stmts
---
> #poly-call: found 17621 in 167633 reachable relevant Stmts
136a137
> 8649 classes with 84612 methods in the world
140,147c141,148
< #var pointers:                30,8052 (insens) / 30,8052 (sens)
< #objects:                     3,2559 (insens) / 3,2559 (sens)
< #var points-to:               6567,5360 (insens) / 6567,5360 (sens)
< #static field points-to:      4,5228 (sens)
< #instance field points-to:    2540,3200 (sens)
< #array points-to:             94,0044 (sens)
< #reachable methods:           4,1716 (insens) / 4,1716 (sens)
< #call graph edges:            29,4075 (insens) / 29,4075 (sens)
---
> #var pointers:                30,8051 (insens) / 30,8051 (sens)
> #objects:                     3,2541 (insens) / 3,2541 (sens)
> #var points-to:               6406,1386 (insens) / 6406,1386 (sens)
> #static field points-to:      4,5224 (sens)
> #instance field points-to:    2486,7980 (sens)
> #array points-to:             66,5853 (sens)
> #reachable methods:           4,1715 (insens) / 4,1715 (sens)
> #call graph edges:            29,4067 (insens) / 29,4067 (sens)
150,151c151,152
< #may-fail-cast: found 7752 in 38193 reachable relevant Stmts
< #may-fail-cast: found 1782 in 12453 reachable relevant Stmts (app)
---
> #may-fail-cast: found 7493 in 38193 reachable relevant Stmts
> #may-fail-cast: found 1736 in 12453 reachable relevant Stmts (app)
153c154
< #poly-call: found 12705 in 129597 reachable relevant Stmts
---
> #poly-call: found 12703 in 129597 reachable relevant Stmts

@codecov
Copy link

codecov bot commented Nov 4, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 66.66667% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 75.82%. Comparing base (e7489dc) to head (d8013ce).

Files with missing lines Patch % Lines
.../taie/analysis/pta/plugin/natives/ObjectModel.java 66.66% 1 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff            @@
##             master     #209   +/-   ##
=========================================
  Coverage     75.81%   75.82%           
- Complexity     4657     4660    +3     
=========================================
  Files           481      482    +1     
  Lines         16070    16076    +6     
  Branches       2199     2200    +1     
=========================================
+ Hits          12184    12189    +5     
  Misses         3019     3019           
- Partials        867      868    +1
Files with missing lines Coverage Δ
...ie/analysis/pta/plugin/natives/NativeModeller.java 100.00% <ø> (ø)
.../taie/analysis/pta/plugin/natives/ObjectModel.java 66.66% <66.66%> (ø)

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jjppp