Flow- and Context-Sensitive Points-to Analysis using Generalized Points-to Graphs

TL;DR

This paper introduces generalized points-to graphs (GPGs) for flow- and context-sensitive points-to analysis, enabling scalable, precise, and efficient interprocedural analysis by reducing complexity and size of summary flow functions.

Contribution

It generalizes points-to relations with indirection counts, creating compact GPGs that efficiently represent memory and transformations without placeholders, improving scalability of FCPA.

Findings

GPGs are linearly bounded by variables, independent of statement count

Empirical results show GPGs are compact even for large procedures

FCPA with GPGs scales to 158 kLoC, outperforming previous methods

Abstract

Computing precise (fully flow-sensitive and context-sensitive) and exhaustive points-to information is computationally expensive. Many practical tools approximate the points-to information trading precision for efficiency. This has adverse impact on computationally intensive analyses such as model checking. Past explorations in top-down approaches of fully flow- and context-sensitive points-to analysis (FCPA) have not scaled. We explore the alternative of bottom-up interprocedural approach which constructs summary flow functions for procedures to represent the effect of their calls. This approach has been effectively used for many analyses. However, it is computationally expensive for FCPA which requires modelling unknown locations accessed indirectly through pointers. Such accesses are commonly handled by using placeholders to explicate unknown locations or by using multiple call-specific summary flow functions. We generalize the concept of points-to relations by using the counts of indirection levels leaving the unknown locations implicit. This allows us to create summary flow functions in the form of generalized points-to graphs (GPGs) without the need of placeholders. By design, GPGs represent both memory (in terms of classical points-to facts) and memory transformers (in terms of generalized points-to facts). We perform FCPA by progressively reducing generalized points-to facts to classical points-to facts. GPGs distinguish between may and must pointer updates thereby facilitating strong updates within calling contexts. The size of GPG is linearly bounded by the number of variables and is independent of the number of statements in the procedure. Empirical measurements on SPEC benchmarks show that GPGs are indeed compact in spite of large procedure sizes. This allows us to scale FCPA to 158 kLoC using GPGs (compared to 35 kLoC reported by liveness-based FCPA).