Phoenix: A Modular and Versatile Framework for C/C++ Pointer Analysis

TL;DR

Phoenix is a flexible, modular framework for C/C++ pointer analysis that unifies multiple algorithms, making analysis comparison, composition, and trade-offs easier, while delivering significant speedups and supporting bug detection in real-world tools.

Contribution

Phoenix introduces a unified, modular framework for C/C++ pointer analysis that simplifies comparison, composition, and tuning of different algorithms.

Findings

Up to 2.88x speedup in baseline configuration

Up to 2.91x speedup in precise configuration

Enabled detection of hundreds of new bugs in industrial tools

Abstract

We present Phoenix, a modular pointer analysis framework for C/C++ that unifies multiple state-of-the-art alias analysis algorithms behind a single, stable interface. Phoenix addresses the fragmentation of today's C/C++ pointer analysis ecosystem by cleanly separating IR construction, constraint generation, solver backends, and client-facing queries, making analyses easy to compare, swap, and compose while exposing explicit precision-performance trade-offs. We evaluate Phoenix against SVF under two representative configurations: a flow- and context-insensitive setting and a more precise flow- and context-sensitive setting, on 28 GNU coreutils programs. Phoenix delivers robust speedups in the baseline configuration (up to 2.88x) and remains competitive, and often faster, even in the stronger precision regime (up to 2.91x), without a systematic runtime penalty. In production, Phoenix serves as the analysis substrate for static analysis and fuzzing tools that have uncovered hundreds of new bugs and enabled deployments reporting more than 1000 bugs found in an industrial toolchain.