Nevin Heintze
ABSTRACT
We will describe the design and implementation of a fast points-to analysis system. On some industrial code bases (about a million lines of unpreprocessed C code) this system performs context-insensitive field-based Andersen-style points-to analysis in less than a second and uses less than 10MB of memory. The two main contributions of the work are a database-centric analysis architecture called compile-link-analyze (CLA), and a new graph-based algorithm for implementing a form of dynamic transitive closure. An open source release of our system should be available soon.
- L. Andersen, "Program Analysis and Specialization for the C Programming Language", PhD. thesis, DIKU report 94/19, 1994.Google Scholar
- S. Chandra and T. Reps, "Physical Type Checking for C" PASTE, 1999. Google ScholarDigital Library
- M. Das, "Unification-Based Pointer Analysis with Directional Assignments" PLDI, 2000. Google ScholarDigital Library
- J. Foster, M. Fähndrich and A. Aiken, "Flow-Insensitive Points-to Analysis with Term and Set Constraints" U. of California, Berkeley, UCB CSD97964, 1997. Google ScholarDigital Library
- M. Fähndrich, J. Foster, Z. Su and A. Aiken, "Partial Online Cycle Elimination in Inclusion Constraint Graphs" PLDI, 1998. Google ScholarDigital Library
- N. Heintze, "Analysis of Large Code Bases: The Compile-Link-Analyze Model" unpublished report, November 1999.Google Scholar
- N. Heintze and O. Tardieu, "Ultra-fast Aliasing Analysis using CLA: A Million Lines of C Code in a Second" PLDI 2001. Google ScholarDigital Library
- "Programming Languages - C", ISO/IEC 9899:1990, International Standard, 1990.Google Scholar
- A. Rountev and S. Chandra, "Off-line Variable Substitution for Scaling Points-to Analysis", PLDI, 2000. Google ScholarDigital Library
- M. Shapiro and S. Horwitz, "Fast and Accurate Flow-Insensitive Points-To Analysis", POPL, 1997. Google ScholarDigital Library
- Z. Su, M. Fähndrich, and A. Aiken, "Projection Merging: Reducing Redundancies in Inclusion Constraint Graphs", POPL, 2000. Google ScholarDigital Library
- B. Steensgaard, "Points-to Analysis in Almost Linear Time", POPL, 1996. Google ScholarDigital Library
Index Terms
- Aliasing analysis for a million lines of C
Recommendations
Efficient points-to analysis for whole-program analysis
ESEC/FSE-7: Proceedings of the 7th European software engineering conference held jointly with the 7th ACM SIGSOFT international symposium on Foundations of software engineeringTo function on programs written in languages such as C that make extensive use of pointers, automated software engineering tools require safe alias information. Existing alias-analysis techniques that are sufficiently efficient for analysis on large ...
Efficient points-to analysis for whole-program analysis
To function on programs written in languages such as C that make extensive use of pointers, automated software engineering tools require safe alias information. Existing alias-analysis techniques that are sufficiently efficient for analysis on large ...
Side-effect analysis with fast escape filter
SOAP '12: Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program analysisSide-effect analysis is a fundamental static analysis used to determine the memory locations modified or used by each program entity. For the programs with pointers, the analysis can be very imprecise. To improve the precision of side-effect analysis, ...
Comments