Fast and Precise Points-to Analysis
Abstract: Many software engineering applications require points-to analysis. These client applications range from optimizing compilers to integrated program development environments (IDEs) and from testing environments to reverse-engineering tools. The software engineering applications are often user-interactive, or used in an edit-compile cycle, and need the points-to analysis to be fast and precise.In this compilation thesis, we present a new context- and flow-sensitive approach to points-to analysis that is both fast and precise. This is accomplished by a new SSA-based flow-sensitive dataflow algorithm (Paper 1) and a new context-sensitive analysis (Paper 2). Compared to other well-known analysis approaches our approach is faster in practice, on average, twice as fast as the call string approach and by an order of magnitude faster than the object-sensitive technique. In fact, it shows to be only marginally slower than a context-insensitive baseline analysis. At the same time, it provides higher precision than the call string technique and is similar in precision to the object-sensitive technique. We confirm these statements with experiments in Paper 2.Paper 3 is a systematic comparison of ten different variants of context-sensitive points-to analysis using different call-depths for separating the contexts. Previous works indicate that analyses with a call-depth only provides slightly better precision than context-insensitive analysis and they find no substantial precision improvement when using a more expensive analyses with call-depth . The hypothesis in Paper 3 is that substantial differences between the context-sensitive approaches show if (and only if) the precision is measured by more fine-grained metrics focusing on individual objects (rather than methods and classes) and references between them. These metrics are justified by the many applications requiring such detailed object reference information.The main results in Paper 3 show that the differences between different context-sensitive analysis techniques are substantial, also the differences between the context-insensitive and the context-sensitive analyses with call-depth are substantial. The major surprise was that increasing the call-depth did not lead to any substantial precision improvements. This is a negative result since it indicates that, in practice, we cannot get a more precise points-to analysis by increasing the call-depth. Further investigations show that substantial precision improvements can be detected for but they occur at such a low detail level that they are unlikely to be of any practical use.
This dissertation MIGHT be available in PDF-format. Check this page to see if it is available for download.