search

oracle / graal

GraalVM compiles Java applications into native executables that start instantly, scale fast, and use fewer compute resources 🚀
https://www.graalvm.org
Other
19.99k stars 1.6k forks source link

Adapt GraalVM to a state-of-the-art static analysis framework for universal Java program #3418

Open ziyilin opened 3 years ago

ziyilin commented 3 years ago

Feature request

Besides the innovation of native image, GraalVM is a state-of-the-art static analysis framework as well. Currently there is no other Java static analysis framework can do points-to analysis as well and practically as GraalVM does. People from both industry and academia are looking for good Java static analysis tool for security analysis, code quality analysis and etc., but can't find a proper one. Making static analysis available for universal Java program can further expand GraalVM's influence and attract more people to the community. However, the current analysis result from GraalVM is only applicable for native image, not for traditional Java programs, because the static analysis framework is cohered with native image features, including but not limited:

Describe the solution you'd like. We will propose several commits to adapt the static analysis framework for universal Java program, including:

We would like to contribute the code to the upstream in a branch as a start point, so that any one who is interested in this feature can collaborate with us to make the solution more sophisticated.

Describe who do you think will benefit the most.

This feature can turn these Java users into GraalVM users.

christianwimmer commented 3 years ago

The assessment in this feature request is only partly correct.

The points-to analysis of GraalVM Native Image is actually factored out into separate projects (com.oracle.graal.pointsto) that are independent from Native Image, i.e., this project has no knowledge about class initialization, substitutions, features, or any other Native Image API.

But of course there is no other user of the analysis (that we know of) other than the native image generator. So the API is a bit blurry, i.e., some things are not on the correct side of the project boundary. The major API are the classes BigBang (with its subclass Inflation) and HostVM (with its subclass SVMHost).

If you have commits that strengthen the API boundary, we are happy to review them.

FYI @cstancu @d-kozak

ziyilin commented 3 years ago

Thanks @christianwimmer. I know the com.oracle.graal.pointsto is separate, but its input was prepared by the previous native-image phases. My previous idea was to tailor the native-image framework to make the input clean, and user can still use native-image as analyzing driver. But now it seems creating a brand new main class to drive the analysis would be more clear and easier.

christianwimmer commented 3 years ago

I would start with a dependency just on com.oracle.graal.pointsto to start out as clean as possible. That means you make your own subclasses of BigBang and HostVM. If there are things that are currently in a SVM-specifc project than you can at first copy them over, and then later on we can work on hoisting it out to a VM-independent place.

cyw3 commented 2 years ago

Hi, I also think com.oracle.graal.pointsto is very useful.

A easy way to custom rules for pointsto is necessary.

fernando-valdez commented 5 months ago

Hi @christianwimmer, there seems to be a lot of work done referring to this ticket, should we close this ticket?

christianwimmer commented 5 months ago

Depens on @ziyilin if they still plan to contribute PRs for this work.

ziyilin commented 5 months ago

Yes, there are still a few more PRs to go.