Computing precise (fully flow- and context-sensitive) and exhaustive (as against demand-driven) points-to information is known to be expensive. Top-down approaches require repeated analysis of a procedure for separate contexts. Bottom-up approaches need to model unknown pointees accessed indirectly through pointers that may be defined in the callers and hence do not scale while preserving precision. Therefore, most approaches to precise points-to analysis begin with a scalable but imprecise method and then seek to increase its precision. We take the opposite approach in that we begin with a precise method and increase its scalability. In a nutshell, we create naive but possibly non-scalable procedure summaries and then use novel optimizations to compact them while retaining their soundness and precision. For this purpose, we propose a novel abstraction called the generalized points-to graph (GPG), which views points-to relations as memory updates and generalizes them using the counts of indirection levels leaving the unknown pointees implicit. This allows us to construct GPGs as compact representations of bottom-up procedure summaries in terms of memory updates and control flow between them. Their compactness is ensured by strength reduction (which reduces the indirection levels), control flow minimization (which removes control flow edges while preserving soundness and precision), and call inlining (which enhances the opportunities of these optimizations). The effectiveness of GPGs lies in the fact that they discard as much control flow as possible without losing precision. This is the reason GPGs are very small even for main procedures that contain the effect of the entire program. This allows our implementation to scale to 158 kLoC for C programs. At a more general level, GPGs provide a convenient abstraction to represent and transform memory in the presence of pointers. Future investigations can try to combine it with other abstractions for static analyses that can benefit from points-to information.

中文翻译：

---

广义点对图

众所周知，计算精确（完全对流和上下文敏感）和详尽（相对于需求驱动）的指向信息是昂贵的。自上而下的方法需要针对不同的上下文重复分析过程。自下而上的方法需要对通过可能在调用者中定义的指针间接访问的未知指针进行建模，因此在保持精度的同时不会缩放。因此，大多数精确指向分析的方法都是从可扩展但不精确的方法开始的，然后寻求提高其精度。我们采取相反的方法，我们从精确的方法开始并增加其可扩展性。简而言之，我们创建幼稚但可能不可扩展的过程摘要，然后使用新颖的优化来压缩它们，同时保持它们的健全性和精确性。以此目的，广义点对图（GPG），它将点对关系视为内存更新，并使用间接级别的计数来概括它们，从而使未知的指针隐含。这使我们能够将 GPG 构建为自下而上过程摘要的紧凑表示，就内存更新和它们之间的控制流而言。它们的紧凑性通过强度降低（降低间接级别）、控制流最小化（在保持稳健性和精度的同时去除控制流边缘）和调用内联（增加这些优化的机会）来确保。GPG 的有效性在于它们在不损失精度的情况下尽可能多地丢弃控制流。这就是 GPG 很小的原因，即使对于包含整个程序效果的主程序来说也是如此。这使我们的实现可以针对 C 程序扩展到 158 kLoC。在更一般的层面上，GPG 提供了一种方便的抽象来表示和转换存在指针的内存。未来的调查可以尝试将其与其他抽象结合起来，以进行静态分析，这些抽象可以从点对点信息中受益。