# Heaps Don't Lie: Countering Unsoundness with Heap Snapshots

**Authors:** Neville Grech, George Fourtounis, Adrian Francalanza, Yannis, Smaragdakis

arXiv: 1905.02088 · 2019-05-07

## TL;DR

This paper introduces HeapDL, a technique that captures comprehensive heap snapshots during program execution to significantly improve static analysis coverage, addressing limitations of previous dynamic information approaches.

## Contribution

The paper presents HeapDL, a novel method that enriches static analysis with detailed heap snapshots to counteract unsoundness without altering analysis logic.

## Key findings

- HeapDL achieves 99.5% median call-graph coverage on unseen executions.
- Compared to Tamiflex, HeapDL significantly increases dynamic behavior coverage.
- The approach is portable and effective across various dynamic inputs.

## Abstract

Static analyses aspire to explore all possible executions in order to achieve soundness. Yet, in practice, they fail to capture common dynamic behavior. Enhancing static analyses with dynamic information is a common pattern, with tools such as Tamiflex. Past approaches, however, miss significant portions of dynamic behavior, due to native code, unsupported features (e.g., invokedynamic or lambdas in Java), and more. We present techniques that substantially counteract the unsoundness of a static analysis, with virtually no intrusion to the analysis logic. Our approach is reified in the HeapDL toolchain and consists in taking whole-heap snapshots during program execution, that are further enriched to capture significant aspects of dynamic behavior, regardless of the causes of such behavior. The snapshots are then used as extra inputs to the static analysis. The approach exhibits both portability and significantly increased coverage. Heap information under one set of dynamic inputs allows a static analysis to cover many more behaviors under other inputs. A HeapDL-enhanced static analysis of the DaCapo benchmarks computes 99.5% (median) of the call-graph edges of unseen dynamic executions (vs. 76.9% for the Tamiflex tool).

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1905.02088/full.md

## Figures

18 figures with captions in the complete paper: https://tomesphere.com/paper/1905.02088/full.md

## References

49 references — full list in the complete paper: https://tomesphere.com/paper/1905.02088/full.md

---
Source: https://tomesphere.com/paper/1905.02088