Flow-Insensitive Points-To Analyses for Frama-C
Аннотация:In this book, we compare two known algorithms for flow-insensitive points-to analyses. We show that they differ in precision and complexity. Andersen’s algorithm offers a flow-insensitive analysis with a high precision. Steensgaard’s algorithm provides a high performance points-to analysis. The time complexity in the number of program state- ments becomes almost linear if one uses Tarjan’s disjoint sets as a data structure for Steensgaard’s algorithm. We implemented the disjoint sets with a single array. The usage of arrays with quick reading access, has the advantage of providing a high-performance data structure for the analyzes. The performance has been tested in Section 5.2. We showed that a functional programming language like OCaml is well suited for an implementation of Steensgaard’s algorithm. Since our program is written in OCaml, it could be used as a prototype for a Frama-C plugin. During development we encountered a problem that emerges from uninitialized pointers. Their referenced locations have to be unifiable regardless of whether these locations are empty or not. To overcome this problem, we introduced distinct empty sets that can be merged.