Bidirectionality in flow-sensitive demand-driven analysis

Abstract

Demand-driven methods for program analysis have primarily been viewed as efficient algorithms for computing the same information as the corresponding exhaustive methods, but for a given set of demands. We explore demand-driven flow-sensitive alias analysis (which we call ADFSA ) and propose its improved version called PDFSA that computes both aliases and pointers for the demands raised by changing the notion of relevance for indirect assignment statements. We formally show that while ADFSA is as precise as the corresponding exhaustive flow-sensitive alias analysis ( EFSA ), PDFSA can be more precise than both ADFSA and EFSA . This surprising result is based on the following insight: A demand-driven method computes less information than the corresponding exhaustive method. PDFSA exploits this to reduce the uncertainty caused by aliasing which in turn, reduces the conflation of memory locations thereby increasing precision. We formalize PDFSA using an inherent property of a demand-driven flow-sensitive alias analysis: demands are propagated against the control flow and aliases are propagated along the control flow. Traditionally, this has been seen as a collection of two separate analyses whose interaction is controlled by an algorithm that drives the two analyses. We formalize this algorithmic view as a bidirectional data flow analysis to define PDFSA declaratively. Further, we define Meet Over Paths (MoP) solution for bidirectional flows for reasoning about the soundness of PDFSA. Our definition generalizes the classical definition of MoP which is restricted to unidirectional flows. We have implemented PDFSA, ADFSA, and EFSA for static resolution of virtual function calls in C++ for constructing more precise call graphs. Our measurements show that the call graphs computed using PDFSA are indeed more precise than those that are computed using ADFSA or EFSA.