147:2 Tian Tan,Yue Li,Xiaoxing Ma,Chang Xu,and Yannis Smaragdakis et al.2007].A more precise pointer analysis is always favored by its clients as it implies,e.g.,fewer false alarms of bugs and vulnerabilities,more accurate code navigation,or potential for optimization. Context sensitivity has been demonstrated to be a major scheme for improving precision of Java pointer analysis [Fegade and Wimmer 2020;Feng et al.2015;Kanvar and Khedker 2016;Lhotak and Hendren 2008;Lhotak and Hendren 2006;Milanova et al.2002,2005;Tan et al.2017;Thakur and Nandivada 2019,2020;Thiessen and Lhotak 2017;Whaley and Lam 2004;Xu and Rountev 2008].With years of development,traditional context sensitivity performs well for small/medium programs,e.g.,2obj(object-sensitive pointer analysis with context length being two)can analyze most DaCapo benchmarks rapidly and precisely [Kastrinis and Smaragdakis 2013;Smaragdakis et al.2011];however,it is hard for it to scale to large and complex Java programs with good precision [Smaragdakis et al.2014].(An analysis not scaling means that it blows up in complexity and does not terminate even under very high time limits.) To address this problem,a series of research work [Hassanshahi et al.2017;Jeon et al.2019; Jeong et al.2017;Li et al.2018a,b,2020;Lu and Xue 2019;Minseok Jeon and Oh 2020;Oh et al.2014, 2015;Smaragdakis et al.2014;Wei and Ryder 2015]propose to apply context sensitivity selectively in the sense that contexts no longer apply to all methods,while context elements(e.g.,objects, types,call-sites)and context lengths may vary for different selected methods.Other,non-selected, methods are treated context-insensitively,in order to enable good scalability. Conversely,to gain better precision,selective context-sensitivity approaches usually have to sacrifice efficiency by allowing more methods to be analyzed context-sensitively,sometimes with longer context lengths or more precise but heavier context elements.In other words,these analyses need to make careful precision and efficiency trade-offs,where one more step towards precision may put the analysis at the risk of unscalability [Li et al.2020].As a result,seeking further precision improvement becomes hard,as limited efficiency margins are left to play with.Under such constraints,if the approach for more precise pointer analysis is not designed well,it may introduce significant overhead with minor or no precision improvement(e.g.,by selecting for sensitive treatment many precision-useless methods).More commonly,the analysis will choose to scale,but will sacrifice precision(e.g.,by selecting very few methods to treat context sensitively). Problem.For many real-world applications where points-to or alias information is required,such as certain bug detectors,security analyzers,etc.,good precision is much favored,even if the price is to run the analysis for a long time (e.g.,several hours)[Christakis and Bird 2016].Thus,the challenge we seek to address is to achieve,given a long but reasonable time allowance,precise pointer analysis results for large and complex Java programs,for which traditional context-sensitive analyses fail to scale,and selective context-sensitive analyses scale but with limited precision Method.We introduce a general(meta-)framework called Unity-Relay to produce highly precise pointer analyses for hard-to-analyze Java programs,by systematically exploiting and utilizing any selective context sensitivity technique.Unity-Relay is a one-two punch,with precision as its first priority: Unity-Relay takes as inputs a program P and a set of different selective context-sensitivity approaches,S; it first provides a method(called Unity)to unify all approaches in S(playing the role of a meta-heuristic),maximizing precision by applying the most stringent context-sensitivity selection made by any approach in S; if Unity fails to scale,the Relay method is employed.It divides the scalability burden of Unity into different passes(each pass is a run of context-sensitive pointer analysis guided by an approach in S),with the precision achieved by one pass being transmitted to and Proc.ACM Program.Lang.,Vol.5.No.OOPSLA,Article 147.Publication date:October 2021.147:2 Tian Tan, Yue Li, Xiaoxing Ma, Chang Xu, and Yannis Smaragdakis et al. 2007]. A more precise pointer analysis is always favored by its clients as it implies, e.g., fewer false alarms of bugs and vulnerabilities, more accurate code navigation, or potential for optimization. Context sensitivity has been demonstrated to be a major scheme for improving precision of Java pointer analysis [Fegade and Wimmer 2020; Feng et al. 2015; Kanvar and Khedker 2016; Lhoták and Hendren 2008; Lhoták and Hendren 2006; Milanova et al. 2002, 2005; Tan et al. 2017; Thakur and Nandivada 2019, 2020; Thiessen and Lhoták 2017; Whaley and Lam 2004; Xu and Rountev 2008]. With years of development, traditional context sensitivity performs well for small/medium programs, e.g., 2obj (object-sensitive pointer analysis with context length being two) can analyze most DaCapo benchmarks rapidly and precisely [Kastrinis and Smaragdakis 2013; Smaragdakis et al. 2011]; however, it is hard for it to scale to large and complex Java programs with good precision [Smaragdakis et al. 2014]. (An analysis not scaling means that it blows up in complexity and does not terminate even under very high time limits.) To address this problem, a series of research work [Hassanshahi et al. 2017; Jeon et al. 2019; Jeong et al. 2017; Li et al. 2018a,b, 2020; Lu and Xue 2019; Minseok Jeon and Oh 2020; Oh et al. 2014, 2015; Smaragdakis et al. 2014; Wei and Ryder 2015] propose to apply context sensitivity selectively in the sense that contexts no longer apply to all methods, while context elements (e.g., objects, types, call-sites) and context lengths may vary for different selected methods. Other, non-selected, methods are treated context-insensitively, in order to enable good scalability. Conversely, to gain better precision, selective context-sensitivity approaches usually have to sacrifice efficiency by allowing more methods to be analyzed context-sensitively, sometimes with longer context lengths or more precise but heavier context elements. In other words, these analyses need to make careful precision and efficiency trade-offs, where one more step towards precision may put the analysis at the risk of unscalability [Li et al. 2020]. As a result, seeking further precision improvement becomes hard, as limited efficiency margins are left to play with. Under such constraints, if the approach for more precise pointer analysis is not designed well, it may introduce significant overhead with minor or no precision improvement (e.g., by selecting for sensitive treatment many precision-useless methods). More commonly, the analysis will choose to scale, but will sacrifice precision (e.g., by selecting very few methods to treat context sensitively). Problem. For many real-world applications where points-to or alias information is required, such as certain bug detectors, security analyzers, etc., good precision is much favored, even if the price is to run the analysis for a long time (e.g., several hours) [Christakis and Bird 2016]. Thus, the challenge we seek to address is to achieve, given a long but reasonable time allowance, precise pointer analysis results for large and complex Java programs, for which traditional context-sensitive analyses fail to scale, and selective context-sensitive analyses scale but with limited precision. Method. We introduce a general (meta-)framework called Unity-Relay to produce highly precise pointer analyses for hard-to-analyze Java programs, by systematically exploiting and utilizing any selective context sensitivity technique. Unity-Relay is a one-two punch, with precision as its first priority: • Unity-Relay takes as inputs a program P and a set of different selective context-sensitivity approaches, 𝑆; • it first provides a method (called Unity) to unify all approaches in 𝑆 (playing the role of a meta-heuristic), maximizing precision by applying the most stringent context-sensitivity selection made by any approach in 𝑆; • if Unity fails to scale, the Relay method is employed. It divides the scalability burden of Unity into different passes (each pass is a run of context-sensitive pointer analysis guided by an approach in 𝑆), with the precision achieved by one pass being transmitted to and Proc. ACM Program. Lang., Vol. 5, No. OOPSLA, Article 147. Publication date: October 2021