Push-pull constraint graph for efficient points-to analysis

Abstract

We present techniques for efficient computation of points-to information for C programs. Pointer analysis is an important phase in the compilation process. The computed points-to information and the alias information is useful for client analyses from varied domains such as bug finding, data-flow analysis, identifying security vulnerabilities, and parallelization, to name a few. Former research on pointer analysis has indicated that the main bottleneck towards scalability is manifested by the presence of complex constraints (load p = *q and store *p = q constraints) in the program. Complex constraints add edges to the constraint graph in an unpredictable manner and are responsible for initiating propagation of large amounts of points-to information across edges. We identify that the root cause to this issue is in the homogeneous structure in the constraint graph, due to which existing analyses treat loads and stores in a uniform manner. To address these issues, we present two techniques. First, we represent a constraint graph in a non-homogeneous manner, treat loads and stores in different ways, and employ a push-pull model for non-uniform propagation. Second, we propose lazy propagation which propagates information in the constraint graph only when necessary. We illustrate the effectiveness of our techniques using six large open-source programs and show that they improve the analysis time over a state-of-the-art BDD-based analysis by 33% and over Deep Propagation by 21%.