NJU Static Program Analysis 09: Pointer Analysis II

NJU Static Program Analysis 09: Pointer Analysis II

Abstract

• Understand pointer analysis rules
• Understand pointer flow graph
• Understand pointer analysis algorithms

Notes

In this lecture, we will study some theoretical foundations of pointer analysis. Let's start with the notations:

Type	Notation
Variables	\(x,y \in V\)
Fields	\(f, g \in F\)
Objects	\(o_i, o_j \in O\)
Instance fields	\(o_i.f, o_j.g \in O \times F\)
Pointers	\(Pointer = V \cup (O \times F)\)
Points-to relations	\(pt: Pointer \to \mathcal P(O)\)

And for the pointer related statements, we furtherly have:

Type	Statement	Rule
New	i: x = new T()	\(\overline {o_i \in pt(x)}\)
Assign	x = y	\(\Large \frac{o_i~ \in~ pt(y)}{oi ~\in~ pt(x)}\)
Store	x.f = y	\(\Large \frac{o_i ~\in~ pt(x),~ o_j ~\in~ pt(y)}{o_j ~\in~ pt(o_i.f)}\)
Load	y = x.f	\(\Large \frac{o_i ~\in~pt(x),~ o_j ~\in~pt(o_i.f)}{o_j ~\in~pt(y)}\)

Formulas above the line are the premises, and the under ones are the conclusions. The conclusion without a premise is an unconditional one.

Observing theses rules, we can find that except the New statement, other statements abstractly described the flow of points-to information. Based on this observation, we can construct a Pointer Flow Graph(PFG) that maintaining the flow-to relations of the points-to information. For the assign statement we have an edge \(y \to x\), for the store statement \(y \to o_i.f\) and for the load statement \(o_i.f \to y\).

If we have constructed a PFG, then after all the transferring of the points-to information, the pointer analysis would be done. However as we can see, the construction of the PFG is somehow relies on the points-to information we need. In this context, the pointer analysis algorithm will become more complex than common SPFA.

The \(pt\) map maintains the final result of our pointer analysis. Solve() differs from normal BFS that it adds edges to the graph while searching through it. Generally it's easy to understand.