PUS: A Fast and Highly Efficient Solver for Inclusion-based Pointer Analysis

Abstract

A crucial performance bottleneck in most interprocedural static analyses is solving pointer analysis constraints. We present Pus, a highly efficient solver for inclusion-based pointer analysis. At the heart of Pus is a new constraint solving algorithm that signifi-cantly advances the state-of-the-art. Unlike the existing algorithms (i.e., wave and deep propagation) which construct a holistic constraint graph, at each stage Pus only considers partial constraints that causally affect the final fixed-point computation. In each iteration Pus extracts a small causality subgraph and it guarantees that only processing the causality subgraph is sufficient to reach the same global fixed point. Our extensive evaluation of Pus on a wide range of real-world large complex programs yields highly promising results. Pus is able to analyze millions of lines of code such as PostgreSQL in 10 minutes on a commodity laptop. On average, Pus is more than 7x faster in solving context-sensitive constraints, and more than 2x faster in solving context-insensitive constraints compared to the state of the art wave and deep propagation algorithms. Moreover, Pus has been used to find tens of previous unknown bugs in high-profile codebases including Linux, Redis, and Memcached.