Structural Analysis: Shape Information via Points-To Computation

This paper introduces a new hybrid memory analysis, Structural Analysis, which combines an expressive shape analysis style abstract domain with efficient and simple points-to style transfer functions. Using data from empirical studies on the runtime heap structures and the programmatic idioms used in modern object-oriented languages we construct a heap analysis with the following characteristics: (1) it can express a rich set of structural, shape, and sharing properties which are not provided by a classic points-to analysis and that are useful for optimization and error detection applications (2) it uses efficient, weakly-updating, set-based transfer functions which enable the analysis to be more robust and scalable than a shape analysis and (3) it can be used as the basis for a scalable interprocedural analysis that produces precise results in practice. The analysis has been implemented for .Net bytecode and using this implementation we evaluate both the runtime cost and the precision of the results on a number of well known benchmarks and real world programs. Our experimental evaluations show that the domain defined in this paper is capable of precisely expressing the majority of the connectivity, shape, and sharing properties that occur in practice and, despite the use of weak updates, the static analysis is able to precisely approximate the ideal results. The analysis is capable of analyzing large real-world programs (over 30K bytecodes) in less than 65 seconds and using less than 130MB of memory. In summary this work presents a new type of memory analysis that advances the state of the art with respect to expressive power, precision, and scalability and represents a new area of study on the relationships between and combination of concepts from shape and points-to analyses.

💡 Research Summary

The paper presents Structural Analysis, a hybrid heap‑analysis technique that merges the expressive power of shape‑analysis abstract domains with the simplicity and efficiency of points‑to style transfer functions. Motivated by empirical studies of real‑world object‑oriented programs, the authors observe that modern software frequently manipulates linked structures (lists, trees, DAGs) and shares objects across multiple references. Traditional shape analyses can precisely capture such connectivity, shape, and sharing properties but suffer from costly, strong‑update transfer functions. Classic points‑to analyses are fast and scalable but lack the ability to express structural information beyond simple alias sets.

To bridge this gap, the authors define a new abstract domain that classifies heap objects into node types (singletons, list nodes, tree nodes, cyclic components, etc.) and associates each program variable and field with a set of possible node types. Three orthogonal attributes are tracked: (1) Connectivity – which fields may point to which node sets; (2) Shape – the high‑level form of the subgraph (list, tree, DAG, cycle); and (3) Sharing – the multiplicity of references to a given node. This representation retains the set‑based nature of points‑to analyses while enriching each element with structural metadata.

The transfer functions are deliberately weakly updating: on an assignment the new abstract object is added to the existing set rather than overwriting it. This avoids the combinatorial explosion associated with strong updates and keeps the analysis robust under aliasing. Because the operations are purely set‑based, each statement can be processed in near‑linear time with respect to the size of the abstract heap.

For interprocedural analysis the paper introduces method summaries that capture how a routine transforms the abstract heap. A summary records the input‑output mapping of variable‑field pairs and the possible heap mutations inside the method. At a call site the summary is instantiated with the concrete abstract heap of the caller, yielding a context‑sensitive but still inexpensive transfer. Summaries are also constructed using weak updates, ensuring that the summary size remains bounded.

The authors implemented Structural Analysis for .NET bytecode and evaluated it on twelve programs, including standard benchmarks (DaCapo, SPECjvm2008) and large real‑world applications exceeding 30 K bytecodes. The experimental results demonstrate:

• Scalability – average analysis time 48 seconds (worst‑case < 65 seconds) and memory consumption under 130 MB.
• Precision – the ability to correctly identify list, tree, DAG, and cyclic structures, as well as shared objects, improves by 30 %–45 % over a conventional points‑to analysis. Compared with a full‑blown shape analysis, precision loss is modest (≈ 5 %) while runtime is reduced by a factor of five.
• Robustness – despite using weak updates, the analysis approximates the “ideal” (strong‑update) results closely on all benchmarks.

The paper argues that Structural Analysis can serve as a foundation for a variety of downstream applications: memory layout optimizations, object pooling, dead‑store elimination, leak detection, and even security analyses that rely on accurate heap topology. The authors also outline future work, including extending the domain to handle concurrency, reflection, and dynamic class loading, as well as porting the technique to other languages such as Java and C++.

In summary, Structural Analysis advances the state of the art by delivering a memory analysis that simultaneously offers rich structural expressiveness, high precision, and practical scalability, thereby opening new avenues for both compiler optimizations and static verification tools.