Abstract
The use of pointers presents serious problems for software productivity tools for software understanding, restructuring, and testing. Pointers enable indirect memory accesses through pointer dereferences, as well as indirect procedure calls (e.g., through function pointers in C). Such indirect accesses and calls can be disambiguated with pointer analysis. In this paper we evaluate the precision of one specific pointer analysis (the FA pointer analysis by Zhang et al.) for the purposes of call graph construction for C programs with function pointers. The analysis is incorporated in a production-strength code-browsing tool from Siemens Corporate Research in which the program call graph is used as a primary tool for code understanding.
The FA pointer analysis uses an inexpensive, almost-linear, flow- and context-insensitive algorithm. To measure analysis precision, we compare the call graph constructed by this analysis with the most precise call graph obtainable by a large category of existing pointer analyses. Surprisingly, for all our data programs the FA analysis achieves the best possible precision. This result indicates that for the purposes of call graph construction, inexpensive pointer analyses may provide precision comparable to the precision of expensive pointer analyses.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Andersen, L. 1994. Program analysis and specialization for the C programming language. Ph.D. thesis, DIKU, University of Copenhagen.
Antoniol, G., Calzolari, F., and Tonella, P. 1999. Impact of function pointers on the call graph. In European Conference on Software Maintenance and Reengineering, pp. 51–59.
Cheng, B. and Hwu, W. 2000. Modular interprocedural pointer analysis using access paths. In Conference on Programming Language Design and Implementation, pp. 57–69.
Das, M. 2000. Unification-based pointer analysis with directional assignments. In Conference on Programming Language Design and Implementation, pp. 35–46.
Emami, M., Ghiya, R., and Hendren, L. 1994. Context-sensitive interprocedural points-to analysis in the presence of function pointers. In Conference on Programming Language Design and Implementation, pp. 242–257.
Fähndrich, M., Rehof, J., and Das, M. 2000. Scalable context-sensitive flowanalysis using instantiation constraints. In Conference on Programming Language Design and Implementation, pp. 253–263.
Foster, J., Fähndrich, M., and Aiken, A. 2000. Polymorphic versus monomorphic flow-insensitive points-to analysis for C. In Static Analysis Symposium, pp. 175–198.
Hind, M. 2001. Pointer analysis: Haven't we solved this problem yet? In Workshop on Program Analysis for Software Tools and Engineering, pp. 54–61.
Hind, M., Burke, M., Carini, P., and Choi, J. 1999. Interprocedural pointer alias analysis. ACM Trans.Programming Languages and Systems, 21(4):848–894.
Landi, W. 1992. Undecidability of static analysis. ACM Letters on Programming Languages and Systems, 1(4): 323–337.
Landi,W. and Ryder, B.G. 1992.Asafe approximation algorithm for interprocedural pointer aliasing. In Conference on Programming Language Design and Implementation, pp. 235–248.
Ryder, B.G., Landi, W., Stocks, P., Zhang, S., and Altucher, R. 2001. A schema for interprocedural side-effect analysis with pointer aliasing. ACM Trans.Programming Languages and Systems, 23(1):105–186. An earlier version available as Rutgers Computer Science Department Technical Report DCS-TR-336.
Liang, D. and Harrold, M.J. 1999. Efficient points-to analysis for whole-program analysis. In Symposium on the Foundations of Software Engineering, pp. 199–215.
Mock, M., Atkinson, D., Chambers, C., and Eggers, S. 2002. Improving program slicing with dynamic points-to data. In Symposium on the Foundations of Software Engineering, pp. 71–80.
Murphy, G., Notkin, D., Griswold, W., and Lan, E. 1998. An empirical study of static call graph extractors. ACM Trans.on Software Engineering and Methodology, 7(2):158–191.
Reps, T., Horwitz, S., and Sagiv, M. 1995. Precise interprocedural dataflow analysis via graph reachability. In Symposium on Principles of Programming Languages, pp. 49–61.
Rountev, A. and Chandra, S. 2000. Off-line variable substitution for scaling points-to analysis. In Conference on Programming Language Design and Implementation, pp. 47–56.
Shapiro, M. and Horwitz, S. 1997. Fast and accurate flow-insensitive points-to analysis. In Symposium on Principles of Programming Languages, pp. 1–14.
Sharir,M. and Pnueli, A. 1981. Two approaches to interprocedural dataflow analysis. In S. Muchnick and N. Jones, editors, Program Flow Analysis: Theory and Applications. Prentice Hall, pp. 189–234.
Steensgaard, B. 1996. Points-to analysis in almost linear time. In Symposium on Principles of Programming Languages, pp. 32–41.
Tonella, P., Antoniol, G., Fiutem, F., and Calzolari, F. 2000. Reverse engineering 4.7 million lines of code. Software—Practice and Experience, 30(2):129–150.
Wilson, R., and Lam, M. 1995. Efficient context-sensitive pointer analysis for C programs. In Conference on Programming Language Design and Implementation, pp. 1–12.
Yong, S., Horwitz, S., and Reps, T. 1999. Pointer analysis for programs with structures and casting. In Conference on Programming Language Design and Implementation, pp. 91–103.
Zhang, S. 1998. Practical pointer aliasing analyses for C. Ph.D. thesis, Rutgers University.
Zhang, S., Ryder, B.G., and Landi,W. 1996. Program decomposition for pointer aliasing: A step towards practical analyses. In Symposium on the Foundations of Software Engineering, pp. 81–92.
Author information
Authors and Affiliations
Rights and permissions
About this article
Cite this article
Milanova, A., Rountev, A. & Ryder, B.G. Precise Call Graphs for C Programs with Function Pointers. Automated Software Engineering 11, 7–26 (2004). https://doi.org/10.1023/B:AUSE.0000008666.56394.a1
Issue Date:
DOI: https://doi.org/10.1023/B:AUSE.0000008666.56394.a1