Skip to Content
Static Program Analysis

Pointer-Analysis

2020-04-26Original-language archivelegacy assets may be incomplete

Pointer-Analysis

  • Program -> Points-to relations
  • Pointer Analysis: which objects a pointer can point to
  • Alias analysis: can two pointers point to the same object
  • Pointer-Analysis Application
    • Fundamental information
    • Compiler optimization
    • Bug detection
    • Security analysis
Factor Problem Choice
Heap abstraction How to model heap memory Allocation-site/storeless
Context sensitivity How to model calling contexts Context-sensitive/insensitive
Flow sensitivity How to model control flow Flow-sensitive/insensitive
Analysis scope which parts of program should be analyzed whole-program/demand-driven
  • allocation-site abstraction: one abstract object per allocation site

Concerned Statements

  • pointer-affecting statements
    • New: x = new T()
    • Assign: x = y
    • Store: x.f = y
    • Load: y = x.f
    • Call: r = x.k(a, ...)
      • Static Call
      • Special Call
      • Virtual Call
  • Pointers in Java
    • Local variable: x
    • static field: f
    • Instance field: x.f
    • Array element: array[i]
      • ignore indexes

Rules

  • Notations
    • Variables: x,yVx,y\in V
    • Fields: f,gFf,g\in F
    • Objects: oi,ojOo_i,o_j\in O
    • Instance fields: oi.f,oj.fO×Fo_i.f,o_j.f\in O\times F
    • Pointers: Pointer = V(O×F)V\cup (O\times F)
    • Points-to relations: ptpt = Pointer P(O)\rightarrow \mathcal{P}(O)(幂集)
  • Rules
    • x = new T(): oipt(x)\frac{}{o_i \in pt(x)}
    • x = y: oipt(y)oipt(x)\frac{o_i\in pt(y)}{o_i\in pt(x)}
    • x.f = y: oipt(x),ojpt(y)ojpt(oi.f)\frac{o_i\in pt(x), o_j\in pt(y)}{o_j\in pt(o_i.f)}
    • y = x.f: oipt(x),ojpt(oi.f)ojpt(y)\frac{o_i\in pt(x), o_j\in pt(o_i.f)}{o_j\in pt(y)}

Algorithms